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Abstract 


This  report  is  the  second  in  a  series  that  will  examine  Linux  Volatility-specific  memory 
malware-based  analysis  techniques.  Windows-based  malware  memory  analysis  techniques  were 
analysed  in  a  previous  series.  Unlike  these  Windows-based  reports,  some  of  the  techniques 
described  therein  are  not  applicable  to  Linux-based  analyses  including  data  carving  and  anti-virus 
scanning.  Thus,  with  minimal  use  of  scanner-based  technologies,  the  author  will  demonstrate 
what  to  look  for  while  conducting  Linux-specific  Volatility-based  investigations.  Each 
investigation  consists  of  an  infected  memory  image  and  its  accompanying  Volatility  memory 
profile  that  will  be  used  to  examine  a  different  open  source  rootkit.  Some  of  the  rootkits  are 
user-land  while  others  are  kernel-based.  Rootkits  were  chosen  over  Trojans,  worms  and  viruses  as 
rootkits  tend  to  be  more  sophisticated.  This  specific  investigation  examines  the  1VYL  rootkit.  It  is 
hoped  that  through  the  proper  application  of  various  Volatility  plugins  combined  with  an  in-depth 
knowledge  of  the  Linux  operating  system,  these  case  studies  will  provide  guidance  to  other 
investigators  in  their  own  analyses. 


Significance  to  defence  and  security 


Canadian  Armed  Forces’  (CAF)  networks  are  a  choice  target  for  malware  and  directed  attacks. 
This  series  of  reports  will  provide  junior  and  senior  incident  handlers  alike  with  the  necessary 
knowledge  to  investigate  and  mitigate  complex  attacks  using  only  a  memory  image  and  a 
functional  knowledge  of  the  Linux  operating  system.  As  Linux  continues  to  play  a  more 
important  role  in  IT  and  the  data  centres  of  the  Government  of  Canada  and  National  Defence, 
some  of  these  systems  will  invariably  become  infected.  Thus,  when  this  happens  and  when 
analysts  and  incident  handlers  have  to  intervene,  it  is  hoped  that  these  reports  will  have  helped 
them  to  prepare  for  just  such  an  occasion. 
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Resume 


Ce  rapport  est  le  second  d’une  serie  examinant  les  techniques  specifiques  d’analyse  de  logiciels 
malveillants  en  memoire  sous  Linux  a  l’aide  de  l’outil  Volatility.  Les  techniques  d’analyse  de 
logiciels  malveillants  en  memoire  pour  Windows  ont  ete  decrites  dans  des  rapports  precedents. 
Cependant,  certaines  de  ces  techniques,  telles  que  la  recuperation  de  donnees  et  le  balayage 
d’antivirus  ne  s’appliquent  pas  aux  analyses  sous  Linux.  Par  consequent,  avec  une  utilisation 
minimale  des  technologies  de  balayage,  l’auteur  demontrera  ce  qu’il  faut  rechercher  lorsqu’on 
effectue  des  investigations  specifiques  a  Linux  avec  Volatility.  Chaque  investigation  consiste  en 
une  image  memoire  infectee,  accompagnee  de  son  profile  memoire  Volatility,  et  examinera  un 
programme  malveillant  furtif  a  code  source  ouvert  different.  Certains  seront  en  mode  utilisateur 
tandis  que  d’autres  seront  en  mode  noyau.  Les  programmes  malveillants  furtifs  ont  ete  preferes 
aux  chevaux  de  Troie,  vers  et  virus,  car  ils  ont  tendance  a  etre  plus  sophistiques.  La  presente 
investigation  examine  specifiquement  le  programme  malveillant  furtif  1VYL.  11  est  espere 
qu’avec  une  utilisation  adequate  de  differents  plugiciels  Volatility  et  d’une  connaissance 
approfondie  du  systeme  d’exploitation  Linux,  ces  etudes  de  cas  foumiront  des  conseils  a  d’autres 
enqueteurs  pour  leurs  propres  analyses. 


Importance  pour  la  defense  et  la  securite 


Les  reseaux  des  Forces  armees  canadiennes  (FAC)  sont  une  cible  de  choix  pour  les  logiciels 
malveillants  et  les  attaques  dirigees.  Cette  serie  de  rapports  foumira  aux  analystes  en  reponse  aux 
incidents,  aussi  bien  juniors  que  seniors,  toute  la  connaissance  requise  pour  investiguer  et  mitiger 
des  attaques  complexes  en  utilisant  seulement  une  image  de  la  memoire  et  une  connaissance 
fonctionnelle  du  systeme  d’exploitation  Linux.  Comme  Linux  joue  un  role  de  plus  en  plus 
important  dans  les  T1  et  les  centres  de  donnees  du  gouvemement  du  Canada  et  de  la  Defense 
nationale,  certains  de  ces  systemes  deviendront  invariablement  infectes.  Par  consequent,  quand 
cela  arrivera  et  que  des  analystes  en  reponses  aux  incidents  auront  a  intervenir,  nous  esperons  que 
ces  rapports  les  auront  aides  a  se  preparer  a  une  telle  occasion. 
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Disclaimer  policy 


It  must  be  understood  from  the  outset  that  this  report  examines  computer  malware  and  that 
handling  virulent  software  is  not  without  risk.  As  such,  the  reader  should  ensure  that  he  has  taken 
all  the  necessary  precautions  to  avoid  infecting  his  own  computer  system  and  those  around  him, 
whether  on  a  corporate  network  or  isolated  system. 

The  reader  must  neither  construe  nor  interpret  the  work  described  herein  by  the  author  as  an 
endorsement  of  the  aforementioned  techniques  and  capacities  as  suitable  for  any  specific  purpose, 
construed,  implied  or  otherwise.  Moreover,  the  author  does  not  endorse  the  specific  use  of  any  of 
the  tools  or  techniques  examined  herein.  While  the  author  felt  most  comfortable  working  from 
within  a  Linux  environment,  the  author  does  not  specifically  recommend  the  use  of  such  a  system 
for  the  reader.  Instead,  the  reader  should  use  the  environment  in  which  he  is  most  comfortable. 

Furthermore,  the  author  of  this  report  absolves  himself  in  all  ways  conceivable  with  respect  to 
how  the  reader  may  use,  interpret  or  construe  this  report.  The  author  assumes  absolutely  no 
liability  or  responsibility,  implied  or  explicit.  Moreover,  the  onus  is  on  the  reader  to  be 
appropriately  equipped  and  knowledgeable  in  the  application  of  digital  forensics.  Due  to  the 
offensive  nature  of  computer  malware,  the  author  is  no  way  responsible  for  the  reader’s  use  of 
any  malware,  whether  examined  herein  or  otherwise,  in  any  offensive  or  defensive  nature  against 
any  entity,  even  against  the  reader  himself,  for  any  purpose  whatsoever. 

Finally,  the  author  and  the  Government  of  Canada  are  henceforth  absolved  from  all  wrongdoing, 
whether  intentional,  unintentional,  construed  or  misunderstood  on  the  part  of  the  reader.  If  the 
reader  does  not  agree  to  these  terms,  then  his  copy  of  this  Scientific  Report  must  be  destroyed. 
Only  if  the  reader  agrees  to  these  terms  should  he  continue  in  reading  it  beyond  this  point.  It  is 
further  assumed  by  all  participants  that  if  the  reader  has  not  read  said  Disclaimer  upon  reading 
this  report  and  has  acted  upon  its  contents  then  the  reader  assumes  all  responsibility  for  any 
repercussions  that  may  result  from  the  information  and  data  contained  herein. 
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Requirements,  assumptions  and  exclusions 


The  author  assumes  that  the  reader  is  altogether  familiar  with  digital  forensics  and  the  various 
techniques  and  methodologies  associated  therein.  This  report  is  not  an  introduction  to  digital 
forensics  or  to  said  techniques  and  methodologies.  However,  the  author  has  endeavoured  to 
ensure  that  the  reader  can  carry  out  his  own  forensic  analysis  of  a  computer  memory  image 
suspected  of  malware  infection  based  on  the  information  and  techniques  described  herein. 

The  experimentation  conducted  throughout  this  report  was  carried  out  atop  a  Fedora  21  64-bit 
Linux  operating  system.  Unlike  the  various  Windows  infected  memory  case  studies,  neither 
anti-virus  (AV)  nor  data  carving  techniques  worked  particularly  well  against  Linux-based 
memory  images.  As  such,  the  former  is  used  minimally  while  the  latter  is  not  at  all  used  in  this 
report.  Consequently,  the  methodology  presented  in  this  series  of  reports  is  quite  different  from 
that  presented  in  the  Windows  Volatility-based  series  of  memory  malware  analyses. 

It  is  important  that  the  reader  have  permission  to  use  these  tools  on  his  computer  system  or 
network.  Use  of  these  tools  and  the  analysis  of  virulent  software  always  carry  some  inherent  risk 
that  must  be  securely  managed  and  adequately  mitigated. 

An  in-depth  study  of  memory  analysis  techniques  is  outside  the  scope  of  this  work,  as  it  requires 
a  comprehensive  study  of  operating  system  internals  and  software  reverse  engineering  techniques, 
both  of  which  are  difficult  subjects  to  approach.  Instead,  this  work  should  be  considered  as  a 
guide  to  using  the  Volatility  memory  analysis  framework  for  the  analysis  of  a  Linux-based 
memory  malware  infection. 

In  this  report,  the  use  of  the  words  rootkit,  infection  and  malware  are  used  interchangeably.  The 
same  applies  for  kernel  module,  driver  and  Loadable  Kernel  Modules  (LKM). 

Finally,  the  use  of  masculine  is  employed  throughout  this  text  for  the  purpose  of  simplification. 
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Availability  of  Linux  memory  images  and  profiles 


Various  Linux-based  memory  images  are  available  from  different  publicly  available  sources, 
most  notably  among  them  those  from  SecondLook.  The  author,  for  the  time  being,  has 
endeavoured  to  build  his  own  virtual  machines  and  memory  profiles  to  be  independent  of  those 
already  available. 

The  author  will  endeavour  to  ensure  that  his  memory  images  and  profiles  will  be  made  available 
to  anyone  requesting  a  copy,  as  laws  and  international  agreements  allow.  The  author  can  be 
contacted  at  val-forensics@drdc-rddc.gc.ca.  Please  state  your  name,  organization,  country  and 
mailing  address  including  additional  contact  information  and  one  will  be  mailed  to  you  within  a 
reasonable  delay.  No  PO  Boxes  will  be  accepted — commercial  and  government  mailing  addresses 
only. 
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1  Background 


1.1  Objective 

The  objective  of  this  report  is  to  examine  how  a  computer  forensic  investigator/incident  handler, 
without  specialised  computer  memory  or  software  reverse  engineering  skills,  can  successfully 
investigate  a  Linux-based  memory  image  suspected  of  infection. 

To  successfully  investigate  such  an  image,  this  report  will  use  an  applied  plugin-based  approach 
as  it  uses  demonstrable  procedures  that  intermediate-level  investigators  and  incident  handlers  can 
use  as  a  basis  for  investigating  suspected  memory  images. 

The  work  is  based  on  the  publicly  available  source  code  for  the  1VYL  rootkit.  This  document  is 
the  third  in  a  series  of  reports  that  examines  Linux-based  malware  memory  analysis.  This  specific 
report  surveys  what  to  look  for  when  examining  a  kernel-based  rootkit.  Ultimately,  these  reports 
will  provide  a  foundational  framework  that  novice  and  experienced  investigators  alike  can  rely  on 
for  guidance  when  investigating  infected  Linux  memory  images. 

Unlike  the  previous  Windows-based  reports,  it  was  determined  that  Linux-specific  memory 
analysis  case  studies  and  reports  have  been  left  woefully  unexamined  by  the  community,  at  least 
as  of  the  time  of  this  writing,  hence  prompting  the  author  to  write  this  case  study  and  its 
subsequent  follow-up  studies. 

1.2  Project  support 

This  work  was  carried  out  over  a  period  of  several  months  as  a  collaborative  effort  between 
DRDC  -  Valcartier  Research  Centre  and  the  RCMP,  as  part  of  the  Live  Computer  Forensics 
project  (SRE-09-015,  31XF20). 

1.3  Target  audience 

The  results  of  this  project  may  also  be  of  great  interest  to  the  Canadian  Forces  Network 
Operations  Centre  (CFNOC),  the  RCMP’s  Integrated  Technological  Crime  Unit  (1TCU),  the 
Surete  du  Quebec  and  other  law  enforcement-related  cyber  investigation  teams. 

The  target  audience  for  this  report  is  the  computer  forensic  investigator  who  assesses  suspect 
computer  memory  images  for  evidence  of  infection  and  the  incident  handler  who  is  called  on  to 
assess  or  intervene  in  a  possible  malware  infection.  While  previous  reports  were  targeted  at 
investigators  and  incident  handlers  working  with  Windows-based  memory  images  and  malware, 
this  new  series  of  reports  will  be  directed  at  those  who  must  analyse  Linux  malware -infected 
memory  images. 

The  skills  amassed  by  incident  handlers  and  investigators  alike  while  using  Volatility  to  examine 
Windows  memory  images  will  be  of  some  help.  However,  Linux  and  Windows  are  not  the  same 
and  while  there  is  commonality  in  the  approach  used  by  the  author  throughout  both  series  of 
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reports,  important  differences  are  apparent.  To  extract  the  maximum  value  from  this  report,  the 
reader  should  have  a  working  knowledge  of  Linux,  basic  system  administration  and  software 
compilation. 


1.4  IVYL  rootkit  background 

Written  by  Arkadiusz  Hiler  (ivyl)  and  t3hknr,  IVYL  is  a  kernel-based  rootkit.  While  it  does  have 
some  useful  capabilities  that  some  will  find  interesting,  it  does  not  have  the  ability  to  perform 
Pluggable  Authentication  Module  (PAM)  hooking  nor  does  it  provide  for  a  configuration  file  for 
enabling  specific  functionality  prior  to  compilation,  unlike  KBeast  [8], 

As  is  somewhat  common  with  anti-virus  (AV)  vendors,  no  technical  analysis  was  available  from 
them  concerning  IVYL.  What  is  known  about  it  comes  from  information  made  available  by  its 
author.  The  source  code  was  accompanied  by  a  more  technical  document  that  was  unfortunately 
only  available  in  Polish.  The  version  of  the  rootkit’s  source  code  used  in  this  analysis  is  the  latest 
version,  released  October  2013. 

IVYL  is  a  kernel  rootkit  and  must  be  compiled  and  loaded  into  kernel-space  to  infect  the  system. 
Since  there  is  no  supplemental  configuration  file,  compilation  is  straightforward,  relying 
exclusively  on  the  included  Makefile  for  compilation.  However,  to  load  the  rootkit  Loadable 
Kernel  Module  (LKM),  the  attacker  must  have  already  gained  root-level  access. 

According  to  the  rootkit’s  author,  it  is  a  “sample”  rootkit  with  the  following  capabilities  [1,  2]: 

-  Creates  kernel  /proc  structure  /proc/rtkit  from  which  to  issue  rootkit-specific  commands; 

-  Has  the  ability  to  hide  (remove  itself  from  the  list  of  modules); 

-  File  hiding  (achieved  by  hooking procfs  and  readdir  calls); 

-  Ability  to  open  a  root  shell;  and 

-  Ability  to  change  memory  page  rights. 

Based  on  this  list  of  capabilities,  it  does  not  appear  to  be  as  advanced  as  KBeast  or  Jynx2  [8,  9]. 
However,  as  this  analysis  will  reveal,  this  rootkit  is  very  difficult  to  identify  by  itself  in  so  long  as 
no  augmented  root  shell  has  been  opened.  Even  so,  this  rootkit  could  be  easily  augmented  due  to 
its  open  source  nature. 

A  brief  analysis  of  the  source  code  indicates  that  these  capabilities  appear  to  be  valid  claims; 
however,  the  author  has  not  verified  them  in-depth.  Nevertheless,  there  is  no  reason  to  believe 
these  claims  to  be  false.  Moreover,  insufficient  information  is  available  to  determine  which 
kernels  the  rootkit  is  capable  of  infecting.  Finally,  rootkit  compilation  specifics  are  found  in 
Section  1.6. 


1 .5  Information  concerning  the  guest  VM 

The  Linux  test  virtual  machine  (VM)  which  was  infected  with  IVYL  was  built  atop  Ubuntu  1 1.04 
x64  and  was  installed  from  DVD  media.  The  VM  was  allocated  2  CPUs  and  4  GiB  RAM  and  the 
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default  Ubuntu  VirtualBox  parameters  for  the  VM  were  used.  Once  the  VM’s  operating  system 
was  installed  and  found  to  be  functional,  VirtualBox’ s  Guest  Additions  were  installed.  The 
system  appeared  to  be  in  good  working  order  except  that  dwarfdump  and  its  required 
dependencies  were  not  installed  from  the  DVD  media  installation  and  the  various  online 
repositories  for  Ubuntu  11.04  were  no  longer  available.  Thus,  the  source  code  for  the  variously 
required  packages  had  to  be  downloaded  from  the  web,  compiled  and  then  installed  within  the 
VM.  Once  this  was  done,  the  operating  system  was  then  temporarily  shut  down. 

1.6  Compiling  and  loading  the  rootkit 

The  rootkit’s  source  code,  found  in  downloaded  file  rootkit-master.zip  (SHA1  hash  of 
DA750D4DB065480CC6243C34A55EDD7E901CE63B),  was  copied  over  to  the  VM  through  a 
shared  folder  (mounted  read-only)  atop  directory  /tmp,  where  it  was  unpackaged  and  compiled 
according  to  the  following  commands: 

$  mkdir /rootkit 

$  mv  rootkit-master.zip  /rootkit;  cd  /rootkit 

$  unzip  rootkit-master.zip 

$  make 

Upon  successful  compilation,  the  rootkit  is  then  loaded  by  the  attacker  into  kernel-space  using 
command  insmod  rt.ko.  The  rootkit  is  now  compiled  and  loaded. 

To  obtain  a  list  of  commands  available  from  the  rootkit,  use  command  cat  /proc/rtkit.  To  gain  a 
root  shell,  use  the  shell  program  tools/rtcmd.py  found  within  the  tools  directory  where  the 
rootkit’ s  ZIP  archive  was  unpacked  and  type  tools/rtcmd.py  mypenislong 1  /bin/bash. 


1  My  Pen  Is  Long. 
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Available  commands  for  this  particular  version  of  the  rootkit  are  shown  in  the  following  figure: 


RTKIT 
DESC : 

hides  files  prefixed  with  _ rt  or  10- _ rt  and  gives  root 

CMNDS : 

mypenislong  -  uid  and  gid  0  for  writing  process 
hpXXXX  -  hides  proc  with  id  XXXX 
up  -  unhides  last  process 
thf  -  toogles  file  hiding 
mh  -  module  hide 
ms  -  module  show 
STATUS 
fshide:  1 
pidshidden:  0 
module  hidden:  1 


Figure  1:  Command  output  for  cat  /proc/rtkit. 

Running  tools/rtcmd.py  results  in  a  command  shell,  regardless  of  the  user’s  UID.  /proc/rtkit  is  not 
visible  to  the  system  when  perusing  /proc;  its  existence  must  be  known,  as  its  presence  cannot  be 
derived  by  looking  at  the  files  in  this  directory. 


1.7  Memory  image  metadata 

Two  memory  images  were  taken  of  the  VM.  One  was  taken  just  prior  to  infection  and  the  other 
just  after  rootkit  infection.  In  so  doing,  it  is  possible  to  compare  a  clean  system  to  an  infected 
system  in  the  event  that  such  comparative  information  is  required  during  the  analysis  of  the 
infected  memory  image. 

For  these  two  memory  images,  similarities  in  their  fuzzy  hashes  have  been  identified  in  Table  1 
and  Table  2  below  (pink  characters)  to  identify  large  memory  structures  that  have  more  or  less 
remained  the  same  [13]. 

Both  acquired  memory  images  should  have  been  exactly  4  GiB  in  size,  but  as  it  turned  out  were  not. 
Instead,  they  were  each  approximately  3%  larger,  thereby  indicating  that  the  VirtualBox-specific 
overhead  for  this  memory  dump  was  non-negligible. 

The  VM’s  memory  was  dumped  to  obtain  an  uninfected  baseline  memory.  This  was  done  by 
restarting  the  VM  using  the  following  command  [3]: 

$  virtualbox  --debug  -startvm  "Ubuntu  11.04  x64" 

VM  memory  was  then  dumped  using  the  following  command  [3]: 

$  vboxmanage  debugvm  "Ubuntu  11.04  x64"  dumpguestcore  --filename 
ubuntull_04_IVYL.mem 

This  process  was  repeated  shortly  after  infection  of  the  VM. 
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The  Volatility  profile,  ubuntu  l 104  x64 _profile.zip,  was  generated  as  per  the  instructions  found 
in  [7],  The  profile  is  available  to  the  reader  as  per  the  eligibility  requirements  set  out  on  page  xiii. 

1.7.1  Uninfected  baseline  memory  image  metadata 

The  metadata  in  Table  1  accurately  describes  the  uninfected  baseline  memory  image. 


Table  1:  Linux  Ubuntu  11.04  x64  uninfected  memory  image  metadata. 


Memory  image  name 

ubuntu  1104  base.mem 

Actual  size  (exact) 

4,433,464,300  bytes 

Expected  size  (exact) 

4,294,967,296  bytes 

SHA1  hash 

24181 40bbf0bbc  1 27060e  1  e8  8dd2b  1  ebed9ff5  fc 

Fuzzy  hash 

1572864:+KPyCJuc0VVMRdoe0kVx8wQzdB5YpQVHQ9zrqaIIBUu 

QQBm32+uzQjn6132H+x9:fyCkct2zerQlBUDQB82+YsivjKRPly 

1.7.2  infected  memory  image  metadata 

The  metadata  in  Table  2  accurately  describes  the  infected  memory  image. 


Table  2:  Linux  Ubuntu  11.04  x64  IVYL  infected  memory  image  metadata. 


Memory  image  name 

ubuntu  1104  IVYL.mem 

Actual  size  (exact) 

4,433,464,300  bytes 

Expected  size  (exact) 

4,294,967,296  bytes 

SHA1  hash 

27776al71bd8ea55826d6cecb8c  1  feee7a2ca94b 

Fuzzy  hash 

3145728:RyCksLpf27G6r9IBmZ7Jo3C3FV4zEogszf+m:dLpf27fr91B 

mjwR 

1.8  AV  scanners  used 

This  report  makes  use  of  six  anti-virus  scanners,  the  same  six  as  those  used  in  reports  [8,  9]. 
These  scanners  continue  to  represent  a  wide  cross-section  of  various  detection  mechanisms 
necessary  for  the  detection  of  diverse  malware.  Each  scanner  was  updated  December  2,  2014;  the 
analysis  was  then  carried  out.  Scanner  specifics  are  listed  in  Table  3. 
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Table  3:  List  of  anti-virus  scanners  and  their  command  line  parameters. 


Anti-virus  scanner 

Command  line  parameters 

Avast  v.  1.3.0  command  line  scanner 

avast  -c 

AVG  2013  command  line  scanner 
version  13.0.31 14 

avgscan  -H  -P  -p 

BitDefender  for  Unices  v7. 90123 
Linux-amd64  scanner  command  line 

bdscan  (no  parameters  used) 

Comodo  Antivirus  Product  Version 

1 . 1 .268025. 1  /  Virus  Signature 
Database  Version  16954 

cmdscan  -v  -s 

FRISK  F-Prot  version  6.3.3.5015 
command  line  scanner 

fpscan  -u  4  -s  4  -z  10  —adware  —applications 
—nospin 

McAfee  VirusScan  for  Linux64 
Version  6.0.3.356  command  line 

scanner 

uvscan  -RECURSIVE  -ANALYZE  - 
MANALYZE  -MIME  -P ANALYZE  - 
UNZIP  -VERBOSE 
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2  Peripheral  concerns 


2.1  Why  examine  Linux  memory  images  or  make  them 
available? 

After  extensively  searching  the  available  public  literature,  it  became  clear  that  few  detailed 
Linux-based  memory  analyses  could  be  found.  In  addition,  those  few  reports  or  documents  that 
were  found  were  not  of  sufficient  quality  to  enable  others  to  readily  leam  the  necessary 
techniques  or  approaches  to  conducting  their  own  analyses  that  were  specifically  targeted  towards 
non-memory  specialists  and  non-reverse  engineers.  The  author  has  opted  to  build  his  own  virtual 
machines  and  infect  them  to  be  independent  of  those  already  done. 

The  author  asserts  that  by  methodically  conducting  various  Linux-based  memory  analyses  using  a 
memory  analysis  framework  such  as  Volatility  and  sharing  the  techniques  and  methods  used  for 
these  analyses  with  the  digital  forensics  community,  it  will  help  to  further  advance  the  capabilities 
of  investigators  and  incident  handlers  alike  when  dealing  with  potentially  infected  Linux  memory 
images.  Just  as  with  the  now  completed  Windows  series  of  reports,  which  provide  a  detailed 
methodology  for  conducting  Volatility-based  malware  memory  analysis  for  non-experts,  this 
series  of  Linux-based  reports  hope  to  have  the  same  impact  for  the  Linux  audience. 

2.2  Volatility  background 

Volatility  2.4  is  used  for  the  analysis  of  the  memory  image  infected  by  the  IVYL  rootkit.  The 
version  of  this  framework,  at  the  time  of  writing,  is  considered  the  stable  public  release  and  is 
suitable  for  use  by  both  the  general  public  and  investigators  alike,  although  it  may  not  necessarily 
have  the  most  recent  or  bleeding-edge  plugins.  It  was  released  for  public  use  August  2014. 

Originally  written  by  Aaron  Walters  of  Volatile  Systems,  Volatility  has  become  a  full-fledged 
memory  analysis  framework.  It  is  written  entirely  in  Python  and  can  therefore  be  run  atop 
Windows,  Linux  and  other  various  operating  systems  supporting  Python.  Volatility  began 
supporting  Linux-based  memory  analysis  in  previous  versions,  although  its  current  support  has 
improved  a  great  deal.  However,  its  Windows  support  continues  to  remain  both  more  robust  and 
reliable.  Currently,  it  is  developed  by  a  variety  of  contributors,  although  the  most 
well-known  of  these  are  Michael  Ligh,  Jamie  Levy,  Brendan  Dolan-Gavitt,  Andrew  Case  and 
Mike  Auty.  Furthermore,  each  of  these  individuals  has  made  significant  contributions  to  the 
digital  forensics  community  over  the  last  few  years.  Michael  Cohen,  who  was  formerly  with  the 
project,  has  gone  on  to  found  Rekall  (https://code.google.eom/p/rekalB,  a  memory  analysis 
framework  similar  to  Volatility  that  at  the  time  of  this  writing  is  not  yet  ready  for  public  use. 

The  Linux  plugins  supported  by  version  2.4  of  Volatility  are  described  in  Annex  A. 

2.3  Purpose  of  these  tutorials 

Although  online  tutorials  concerning  infected  Linux-based  memory  images  exist,  these  tutorials 
are  generally  written  for  a  highly  technical  audience  already  familiar  with  software  reverse 
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engineering  and  memory  forensics.  They  typically  provide  either  too  little  information  or  are  too 
technical  to  be  of  much  use  to  most  investigators  and  incident  handlers. 

Thus,  the  author  asserts  that  by  re-examining  and  thoroughly  documenting  the  steps  and 
procedures  used  to  identify  various  rootkit-based  infections  will  aid  the  reader  in  unravelling  his 
own  malware-based  investigations.  It  is  hoped  that  these  reports  will  build  a  compendium  of 
knowledge  to  serve  the  forensic  community  as  learning  guides  and  tutorials. 

The  author  has  made  all  efforts  to  ensure  that  this  document  and  the  investigation  of  the  1VYL 
rootkit  are  comprehensible  to  the  general  computer  forensic  practitioner,  in  the  hopes  of  reaching 
as  wide  an  audience  as  possible  and  having  a  more  significant  impact. 

2.4  Issues  concerning  data  carving 

Unlike  Windows-based  memory  images,  it  turns  out  that  data  carving  is  not  particularly  effective 
against  Linux-based  memory  images.  Experimentation  by  the  author  has  revealed  that  once  a 
Linux  binary,  whether  an  executable  or  a  compiled  library  file,  has  been  loaded  into  memory,  it 
loses  its  ELF  header,  thereby  making  its  detection  and  subsequent  carving  very  difficult.  Without 
an  ELF  header  from  which  to  start,  data  carvers  and  recovery  software  will  not  be  able  to  identify 
the  starting  point  of  a  given  library  or  executable  in  memory.  The  author  attempted  ten  different 
memory  experiments  using  both  32  and  64-bit  Linux  operating  systems.  Between  them,  only  one 
ELF-based  file  was  ever  recovered.  The  other  files  recovered  were  mostly  text-based  data  files. 

The  reader  may  recall  that  these  same  data  carving  techniques  worked  moderately  well  against 
Windows-based  memory  images.  This  is  because  Windows  executables  and  libraries  have  their 
PE  header  loaded  into  memory,  making  them  readily  identifiable  and  recoverable. 

Moreover,  the  various  techniques  examined  in  the  Windows  series  of  reports  found  that 
occasionally  some  of  the  malware  carved  from  a  memory  image  matched  those  dumped  from  the 
memory  image  using  Volatility.  What  this  means  is  that  data  recovery  tools  and  software  are 
more  likely  to  recover  intact  (or  partially  intact)  malware  from  Windows  memory  images  as 
compared  to  those  from  Linux.  The  various  MD5/SHA1  and  fuzzy  hashing  (file  similarity 
matching)  used  for  Windows  also  confirms  this  assertion.  As  of  Volatility  2.4,  a  new  plugin, 
linux  elf  has  been  designed  to  help  investigators  determine  where  ELF  files  are  residing  within  a 
memory  image  using  alternate  means. 

2.5  Issues  concerning  AV  analysis 

Further  complicating  Linux-based  malware  memory  analysis  is  the  lack  of  Linux-specific 
malware  detection  using  various  AV  scanners.  While  the  various  scanners  used  throughout  the 
Windows  reports  worked  well  against  both  Volatility-dumped  and  data-carved  files,  these  very 
same  AV  scanners  (Avast,  AVG,  BitDefender,  ClamAV2,  Comodo2,  Frisk  F-Prot  and  McAfee) 
fared  poorly  against  the  Linux-based  rootkits.  Quite  the  opposite  was  in  fact  expected.  Since  these 
rootkits  were  all  open  source,  it  would  have  followed  that  the  various  scanners  would  have 


2  This  AV  was  used  in  some  Windows  memory  malware  reports  but  not  others. 


8 


DRDC-RDDC-201 5-R060 


included  some  basic  signature  or  heuristic  detection  capability.  After  all,  these  rootkits  will 
inevitably  be  used  as  the  basis  for  future  rootkits.  Unfortunately,  this  was  not  the  case  at  all. 

Thus,  both  this  report  and  the  series  of  Linux-based  reports  will  make  little  use  of  AV  scanners. 
That,  however,  requires  the  reader  to  have  a  very  good  understanding  of  Linux  to  make  up  for 
what  the  scanners  fail  to  detect.  Nevertheless,  certain  portions  of  each  Linux-based  report  will 
still  use  AV  scanners  in  the  hope  that  they  may  be  able  to  reveal  something  pertinent  concerning  a 
rootkit.  Specifics  are  available  in  the  analysis  portion  of  this  and  subsequent  follow-up  reports. 

2.6  Issues  concerning  the  NSRL 

The  National  Software  Reference  Library  (NSRL)  is  a  standardised  and  trustworthy  source  of 
computer  operating  system  and  application  file  names  and  hashes  (MD5/SHA1).  It  is  not 
particularly  well  suited  to  Linux-based  investigations  as  there  are  far  too  many  Linux 
distributions  (hundreds  of  publicly  available  distributions  are  known  to  exist)  to  be  covered  by  the 
NSRL,  including  all  the  various  kernel  versions  in  use3.  As  such,  it  does  not  make  sense  to  rely 
on  the  NSRL  for  file  name  listings  and  hashes  for  comparative  purposes  against  data  files 
recovered  from  a  Linux  memory  image.  For  that  reason,  these  reports  and  their  examination  of 
various  infected  Linux  memory  images  will  not  use  the  NSRL  as  was  done  for  the  Windows 
series  of  reports. 


3  A  full  listing  of  which  Linux  distributions  are  supported  by  a  given  version  of  the  NSRL  can  be  found  in 
its  “ nsrlprod.txt ”  file. 
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3  Memory  analysis  of  IVYL  using  Volatility 


3.1  Step  1 :  AV  analysis  of  memory  images  and  source  code 

This  step  examines  an  infected  memory  image,  source  code  and  compiled  rootkit  using  the 
various  scanners  in  the  hope  of  identifying  any  of  them  as  infected. 

3.1.1  Memory  image  analysis 

None  of  the  scanners  listed  in  Section  1.8  found  anything  in  memory  image 
ubuntul  1 04_IVYL.  mem . 

3.1.2  Rootkit  analysis 

The  compiled  rootkit,  file  rt.ko,  was  obtained  by  manually  mounting  the  VM  disk  image  and 
copying  it  to  the  host  system’s  disk.  This  file  was  then  scanned  where  nothing  was  detected. 

This  file  is  11,998  bytes  in  size  with  a  SHA1  hash  of 
0BE6D9510737EC6D96A361B53CA0C22CCAEC1529.  It  was  submitted  to  VirusTotal4  for 
inspection  against  a  total  of  57  scanners,  all  of  which  failed  to  detect  anything. 

3.2  Step  2:  Volatility  system  information  extraction 

This  next  step  examines  the  infected  memory  image  using  Volatility  plugins  that  provide  system 
information  about  the  suspect  computer  and  its  operating  system. 

3.2.1  Plugin  linux  banner 

This  plugin  is  used  to  determine  the  Linux  kernel,  its  revision  and  architecture.  The  plugin  was 
run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_banner 

The  plugin  generated  the  following  output: 

Linux  version  2.6.38-8-generic  (buildd@allspice)  (gcc  version  4.5.2 
(Ubuntu/Linaro  4.5.2-8ubuntu3)  )  #42-Ubuntu  SMP  Mon  Apr  11  03:31:24  UTC 
2011  (Ubuntu  2.6.38-8.42-generic  2.6.38.2) 


4  More  information  concerning  the  submission  of  this  particular  rootkit  can  be  found  at 
https://www.vimstotal.com/en/file/9bf9889168b5d9d776c35d718Qece78615183402b412e6ca227Qelb042a 

7db0/analysis/. 
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The  output  indicates  that  Linux  2.6.38-8  is  running  and  that  it  is  an  SMP-enabled  kernel, 
compiled  using  GCC  version  4.5.2  (April  1 1,  201 1).  However,  looking  only  at  this  information  it 
is  not  possible  to  determine  if  it  is  a  32-bit,  32-bit  PAE  or  64-bit  kernel.  To  be  fair,  part  of  the 
problem  is  the  kernel  naming  convention  used  by  Debian  and  Ubuntu,  in  this  case,  for  example, 
Ubuntu  2. 6.38-8. 42 -generic  2.6.38.2. 

3.2.2  Plugin  linux  cpuinfo 

This  plugin  is  used  to  identify  the  type  and  number  of  CPUs  running  atop  the  suspect  computer. 
The  plugin  was  run  using  the  following  command  resulting  in  the  following  output: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_cpuinfo 

Processor  Vendor  Model 

0  Genuinelntel  Intel(R)  Core(TM)  i7  CPU  X  000  @  3.33GHz 

1  Genuinelntel  Intel(R)  Core(TM)  i7  CPU  X  000  @  3.33GHz 

The  make  and  model  of  the  two  identified  processors  are  correct.  The  base  processor  speed  is 
3.33  GHz. 

3.2.3  Plugin  linuxdmesg 

This  plugin  is  used  to  identify  important  boot-up  information  and  kernel-based  messages  about 
the  underlying  computer  system.  The  UNIX/Linux  dmesg  command,  upon  which  this  plugin  is 
based,  identifies  various  kernel  and  device  driver  boot-up  information  and  output  structures  in 
memory  that  are  typically  found  in  system  log  file  /var/log/dmesg5 . 

Using  this  plugin,  it  may  be  possible  to  identify  what  kernel  (and  its  revision)  was  running,  the 
number  and  type  of  CPUs,  instantiated  system  services,  the  map  of  system  memory,  networking 
and  many  other  essential  capabilities  (both  software  and  hardware)  that  a  typical  Linux  system 
will  have.  The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_dmesg 

The  output  is  too  long  to  list  here,  but  a  full  listing  can  be  found  in  Annex  B.l.  After  a  detailed 
inspection  of  the  output,  nothing  out  of  the  ordinary  was  identified. 


5  Not  all  UNIX  systems  necessarily  use  this  specific  file.  Mileage  will  vary  according  to  the  underlying 
operating  system. 
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3.2.4  Plugin  linuxjomem 

This  plugin  provides  the  physical  memory  mapping  of  the  suspect  computer  system,  which  in  this 
case  is  a  virtual  machine.  An  in-depth  examination  of  this  virtual  machine’s  physical  memory 
mapping  is  outside  the  scope  of  this  report;  however,  additional  information  concerning  the 
interpretation  of  this  data  can  be  found  in  [4], 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linuxjomem 

The  output  of  this  plugin  is  listed  in  the  first  three  columns  of  Table  4.  The  fourth  and  fifth 
columns  were  added  by  the  author  to  facilitate  reading.  In  blue,  we  find  the  virtualized  hardware 
RAM  (equivalent  to  computer  hardware  memory  modules). 


Table  4:  VM  physical  memory’  mapping  for  suspected  system. 


Hardware 

Starting 

Address 

Ending 

Address 

Size  Difference 

Size  (in  bytes) 

reserved 

0x0 

OxFFFF 

OxFFFF 

65,536 

0x10000 

0x9FBFF 

0x8FBFF 

588,800 

reserved 

0x9FC00 

0x9FFFF 

0x3FF 

1,024 

reserved 

OxFOOOO 

OxFFFFF 

OxFFFF 

65,536 

0x100000 

OxDFFEFFFF 

OxDFEEFFFF 

3,756,982,272 

Kernel  code 

0x1000000 

0xl5CD2BC 

0x5CD2BC 

6,083,260 

Kernel  data 

0xl5CD2BD 

0xlAB38FF 

0x4E6642 

5,137,986 

Kernel  bss 

OxlBAAOOO 

OxlCFEFFF 

0x73 1D42 

7,544,130 

ACPI  Tables 

OxDFFFOOOO 

OxDFFFFFFF 

OxFFFF 

65,536 

0000:00:02.0 

OxEOOOOOOO 

0xE7FFFFFF 

0x7FFFFFF 

13,4217,728 

vesafb 

OxEOOOOOOO 

0xE012FFFF 

0xl2FFFF 

1,245,184 

0000:00:03.0 

OxFOOOOOOO 

OxFOOlFFFF 

OxlFFFF 

131,072 

elOOO 

OxFOOOOOOO 

OxFOOlFFFF 

OxlFFFF 

131,072 

0000:00:04.0 

0xF0400000 

0xF07FFFFF 

0x3FFFFF 

4,194,304 

vboxguest 

0xF0400000 

0xF07FFFFF 

0x3FFFFF 

4,194,304 

0000:00:04.0 

0xF0800000 

0xF0803FFF 

0x3FFF 

16,384 

0000:00:06.0 

0xF0804000 

0xF0804FFF 

OxFFF 

4,096 

ohci  hcd 

0xF0804000 

0xF0804FFF 

OxFFF 

4,096 

0000:00:0b. 0 

0xF0805000 

0xF0805FFF 

OxFFF 

4,096 

ehci  hcd 

0xF0805000 

0xF0805FFF 

OxFFF 

4,096 

0000:00:0d.0 

0xF0806000 

0xF0807FFF 

OxlFFF 

8,192 

ahci 

0xF0806000 

0xF0807FFF 

OxlFFF 

8,192 

10AP1C  0 

OxFECOOOOO 

0xFEC003FF 

0x3FF 

1,024 

Local  AP1C 

OxFEEOOOOO 

OxFEEOOFFF 

OxFFF 

4,096 
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Hardware 

Starting 

Address 

Ending 

Address 

Size  Difference 

Size  (in  bytes) 

reserved 

OxFFFCOOOO 

OxFFFFFFFF 

0x3FFFF 

262,144 

0x100000000 

OxllFFFFFFF 

OxlFFFFFFF 

536,870,912 

The  VM,  allocated  a  total  of  4,294,967,296  bytes  (4  GiB)  RAM  is  able  to  use  4,294,441,984 
bytes,  leaving  525,312  (513  KiB)  bytes  left  reserved  for  use  by  the  VM’s  BIOS. 

The  reason  an  investigator/incident  handler  should  use  this  plugin  is  to  be  aware  of  the  different 
address  ranges  used  by  the  hardware  (virtualized  or  not)  and  operating  system.  This  information 
can  be  used  to  validate  that  the  malware  has  not  tricked  the  operating  system’s  virtual  memory 
manager  or  other  kernel  components  into  thinking  the  system  has  less  memory  than  it  physically 
has.  Had  the  amount  of  unseen  memory  been  significantly  larger  than  the  509  KiB  used  by  the 
BIOS,  then  this  could  have  indicated  that  the  malware  was  busy  making  changes  to  the  system  to 
hide  itself.  While  this  capability  has  not  yet  been  seen  in  Linux  malware,  this  does  not  preclude  it 
from  existing. 

3.2.5  Plugin  linuxslabinfo 

Plugin  linux  slabinfo  is  used  to  provide  kernel  SLAB-based  information.  The  kernel  SLAB 
structure  is  a  specific  structure  kept  in  /proc  used  to  keep  track  of  the  different  kernel  structures 
that  rely  on  various  caches.  These  include,  but  are  not  limited  to  filesystem  buffers,  network 
buffers  and  caches,  inodes  and  many  others. 

This  plugin  only  supports  SLAB-based  kernels  and  as  such  will  only  work  with  memory  images 
using  kernel  2.6.22  and  earlier.  Kernels  2.6.23  and  later,  by  default,  use  SLUB-based  memory 
management  [4,  5,  6], 

3.2.6  Plugin  linux  mount  cache 

Plugin  linux  mount  cache  is  used  to  provide  kernel  SLAB-based  information.  The  kernel  SLAB 
structure  is  a  specific  structure  kept  in  /proc  used  to  keep  track  of  different  kernel  structures  that 
rely  on  various  caches.  These  include,  but  are  not  limited  to,  filesystem  buffers,  network  buffers 
and  caches,  inodes  and  many  others. 

The  reason  this  plugin  does  not  work  is  that  it  supports  SLAB-only  based  kernels,  not 
SLUB-based  kernels  [4,  5,6], 

3.2.7  Plugin  linux  mount 

Although  this  plugin  is  not  the  preferred  manner  for  obtaining  a  list  of  mounted  disk,  kernel  and 
virtual  filesystems,  it  did  work,  unlike  the  previous  plugin,  even  if  some  of  the  output  is  not  the 
same  as  what  the  linux  mount  cache  plugin  would  produce. 
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The  plugin  was  run  using  the  following  command  generating  the  following  output: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_mount 

•  -  /media/malwarevboxsf  rw,relatime,nodev 

•  /dev/sdal  /boot  ext4  rw,relatime 

•  /dev/disk/by-uuid/45fdcblc-c3c7-4c98-9ac3-7f8acf84ac26  /  xfs 

rw,relatime 

•  binfmt_misc  /proc/sys/fs/binfmt_misc  binfmt_misc 

rw,relatime,nosuid,nodev,noexec 

•  fuscctl  /sys/fs/tuse/connections  fusectl  rw,relatime 


gvfs-fuse-daemon  /home/richard/.gvfs  fuse 

rw,relatime,nosuid,nodev 

none 

/var/run 

tmpfs 

rw,relatime,nosuid 

none 

/sy  s/kemel/ debug 

debugfs  rw,relatime 

none 

/sys 

sysfs 

rw,relatime,nosuid,nodev,noexec 

none 

/dev/shm 

tmpfs 

rw,relatime,nosuid,nodev 

none 

/dev 

devtmpfs 

rw,relatime 

none 

/var/lock 

tmpfs 

rw,relatime,nosuid,nodev,noexec 

none 

/proc 

proc 

rw,relatime,nosuid,nodev,noexec 

none 

/dev/pts 

devpts 

rw,relatime,nosuid,noexec 

none 

/  sys/kemel/security 

securityfs 

rw,relatime 

The  first  entry  is  the  VirtualBox  Shared  Folder  that  was  mounted  on  the  guest  VM.  That  aside, 
upon  closer  examination  of  the  output,  nothing  appears  out  of  the  ordinary. 

3.2.8  Summary 

Performing  Volatility  system  information  extraction  has  demonstrated  that  collecting  information 
about  the  VM’s  underlying  operating  system  and  base  configuration  is  straightforward.  However, 
despite  the  many  pages  of  output  generated  by  the  various  plugins,  no  clues  or  hints  as  to  this 
memory  image’s  infection  could  be  identified. 

These  plugins  do  provide  important  basic  information  about  the  underlying  hardware  and 
operating  system,  which,  while  informative,  are  unlikely  to  yield  immediate  clues.  Upon 
correlation  with  additional  plugins  (yet  to  be  used),  they  may  yield  further  information. 

The  author  is  of  the  opinion  that  the  most  important  plugin  in  this  step  is  linux  dmesg.  However, 
plugins  linux  iomem  and  linuxjnount  may  provide  additional  indications  of  malware  presence, 
but  only  if  the  malware  is  capable  of  modifying  the  kernel’s  perception  of  available  “System 
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RAM”  or  mount  points,  respectively.  Plugin  linux  banner  is  useful  for  obtaining  information 
about  the  version  of  the  kernel  in  use  but  on  its  own  provides  no  information  about  the 
architecture  of  the  kernel  (32  or  64-bit). 

It  is  important  that  analysts  use  the  appropriate  Volatility  plugins  supported  by  the  memory 
image’s  underlying  kernel  and  recognize  which  is  SLUB  and  SLAB  based.  That  is  the  reason 
why  the  author  continues  to  use  them  even  though  they  will  not  work  against  more  recent 
versions  of  the  Linux  kernel. 


3.3  Step  3:  Volatility  process  listings  and  analysis 

In  this  step,  specific  plugins  will  be  used  to  identify  process-based  information  concerning  the 
infected  memory  image. 

3.3.1  Plugin  linux  psaux 

This  plugin  is  used  to  provide  a  full  process  listing  of  the  system.  Its  output  is  approximately  the 
same  as  would  be  obtained  running  the  ps  -aux  command  via  a  terminal.  The  plugin  was  run 
using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_psaux 

The  resulting  output  consisted  of  146  listed  processes.  This  output  is  too  long  to  list  here,  but  it 
can  be  found  in  Annex  B.2.  Everything  in  this  long  list  of  processes  appears  altogether  normal. 

3.3.2  Plugin  linux  pslist 

This  interesting  Volatility  plugin  is  also  used  to  list  all  running  processes  on  a  system.  It  works  by 
walking  the  task _struct-> tasks  linked  list  [10,  12],  similar  to  Volatility’s  Windows  process  listing 
plugins.  The  plugin  can  list  all  active  processes  (except  for  the  system  swapping  process(es)). 
According  to  Volatility’s  documentation,  if  the  output  under  the  DTB  column  is  blank  then  it  is 
very  likely  a  kernel  thread.  This  includes  drivers  and  other  kernel  modules  visible  from  userland. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_pslist 

The  resulting  output  is  too  long  to  include  here  but  can  be  found  in  Annex  B.3.  Importantly,  the 
same  numbers  of  processes  (146)  were  found  using  this  plugin  as  with  the  previous  plugin.  Again, 
nothing  out  of  the  ordinary  was  identified. 
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3.3.3  Plugin  linux  pslist  cache 

This  plugin  attempts  to  build  a  list  of  active  processes  from  kmem  cache,  the  kernel’s  memory 
cache  [10,  12].  In  effect,  it  should  reproduce  the  same  results  as  the  linux _pslist  plugin  using  a 
different  mechanism,  which  is  useful  in  corroborating  the  results  of  the  other  available  process 
listing  plugins. 

The  reason  this  plugin  does  not  work  is  that  it  supports  SLAB-only  based  kernels,  not 
SLUB-based  kernels  [4,  5,  6], 

3.3.4  Plugin  linux  pstree 

The  purpose  of  this  plugin  is  to  identify  the  relationship  between  processes,  in  effect  to  identify  a 
given  process’  parent  (or  PP1D).  The  reader  may  have  noticed  that  to  date  none  of  the  Linux 
process  listing  plugins  provides  the  PP1D  of  the  variously  identified  processes.  Thus,  to  identify 
these  relationships,  the  following  command  was  issued: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_pstree 

The  resulting  output  is  too  long  to  include  here  but  can  be  found  in  Annex  B.4.  Importantly,  the 
same  numbers  of  processes  (146)  were  found  using  this  plugin  as  with  the  previous  plugin.  Again, 
nothing  out  of  the  ordinary  was  identified. 

3.3.5  Plugin  linux  pidhashtable 

This  interesting  plugin  can  be  used  to  identify  hidden  or  previously  unseen  processes.  However,  it 
is  not  the  same  as  the  Windows  psxview  plugin.  Instead,  it  works  by  walking  the  PID  hash  table 
[10,  12].  The  plugin  validates  that  a  given  process  forms  part  of  the  PID  hash  table  maintained  by 
the  operating  system.  This  lookup  (or  hash)  table  is  similar  to  that  used  by  Windows  in  that  they 
are  both  doubly  linked  lists.  In  the  same  manner  that  rogue  Windows  processes  can  unlink 
themselves  from  the  Windows  process  table,  rogue  Linux  processes  can  unlink  themselves  from 
the  PID  hash  table  and  this  plugin  can  aid  in  identifying  them.  Its  output  is  not  that  different  from 
the  linux _pslist  plugin. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_pidhashtable 

The  resulting  output  is  too  long  to  include  here  but  can  be  found  in  Annex  B.5.  Nearly  double  the 
numbers  of  processes  (276)  were  found  using  this  plugin.  Interestingly,  the  very  last  line  of  output 
found  in  this  table  had  a  suspicious  looking  entry,  found  listed  below  in  Table  5. 
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Table  5:  Identification  of  a  possibly  suspicious  process  using  plugin  linux  _pidhashtable. 


Offset 

0xffff8801 156788b8 

Name 

?GQ??? 

Pid 

2800 

Uid 

1413567809 

Gid 

39. ..7 

DTB 

0x0000000000000000 

Start  Time 

2014-05-16  16:47:22  UTC+0000 

The  process’  name  is  odd,  possibly  bordering  on  the  suspicious.  Its  U1D  also  indicates  that  this 
process  is  very  likely  not  a  legitimate  process.  Under  Linux,  as  with  many  UNIX  systems,  UIDs 
are  a  32-bit  number;  thus,  the  maximum  UID  a  modem  Linux  system  can  have  is  4,294,967,296. 
However,  numbers  this  high  are,  at  the  very  least,  irregular.  Moreover,  so  too  is  its  G1D. 

Currently,  there  is  no  indication  that  this  process  is  malicious  as  it  could  in  fact  be  a  remnant  in 
memory  left  over  from  a  previous  process  (or  thread)  or  even  from  a  previous  operating  system 
reboot.  Nevertheless,  this  process’s  offset  will  be  revisited  later  in  this  document. 

It  is  worth  attempting  to  dump  this  process  from  the  memory  image  using  the  linux  dump  map 
plugin.  This  was  performed  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_dump_map  -p  2800  --dump-dir=. 

This  command  resulted  in  no  usable  output  or  dumpfile.  Other  plugins  that  were  tried  included 
linux  elfs,  linux _procdump  and  linux  memmap.  None  of  them  succeeded  in  dumping  anything 
from  memory  or  in  providing  more  information. 

3.3.6  Plugin  linux  psxview 

This  plugin  is  related  to  the  psxview  plugin  used  for  Windows  memory  investigations.  However, 
this  Linux-specific  plugin  makes  use  of  very  different  data  structures  found  only  in  Linux-based 
memory  images. 

Memory  offsets  are  specified  in  terms  of  virtual  addresses  and  the  plugin  uses  five  distinct 
algorithms  for  memory  analysis.  The  first  of  these  is  pslist,  which  uses  the  same  technique  used 
by  the  pslist  plugin  (see  Section  3.3.2).  The  second  is  pid-hash,  which  helps  identify  hidden 
processes  (see  Section  3.3.5).  The  third  is  kmem  cache,  which  examines  the  kernel’s  memory 
cache  (see  Section  3.3.3).  Specifically,  this  cache  stores  information  not  only  about  ongoing 
processes  but  also  metadata  concerning  terminated  processes,  sometimes  even  those  which  may 
have  completed  long  ago,  depending  on  the  degree  of  process  creation  within  the  operating 
system.  Finally,  the  field  Parents  “is  populated  by  following  the  parent  pointers  of  processes  and 
threads  found  in  the  PID  hash  table”  while  the  Leaders  field  “is  populated  by  gathering  the  thread 
group  leader  pointer  of  each  process  and  thread”.  [10,  12] 
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When  working  with  this  plugin  it  is  important  to  identify  those  processes  or  threads  that  are 
obvious  outliers.  It  is  normal  that  the  various  field  values  vary  a  lot,  but  those  that  are  too 
different  from  their  surrounding  may  warrant  additional  inspection. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_psxview 

The  resulting  output  is  too  long  to  include  here  but  can  be  found  in  Annex  B.6.  Nearly  double  the 
numbers  of  processes  (279)  were  found  using  this  plugin.  They  are  the  very  same  processes 
identified  by  plugin  linux _pidhashtable  (see  Section  3.3.5)  with  the  exception  of  three  additional 
processes.  These  additional  processes  were: 

•  - (this  process  had  no  valid  name,  P1D  or  virtual  address  offset) 

•  swapper  (P1D  0) 

•  third  instance  of  zeitgeist-datah 

P1D  2800  (process  name:  ?GQ  ???)  was  also  identified  by  the  lima _psxview  plugin.  Moreover, 
nothing  specifically  suspicious  concerning  the  zeitgeist-datah  processes  could  be  identified,  other 
than  the  fact  that  they  have  different  entries  in  the  table  of  Annex  B.6  . 

Finally,  the  swapper  process  is  entirely  legitimate  for  Linux  and  UNIX-like  systems  where  PID  0  is 
typically  reserved  for  kernel  process  swapper  or  sched  (system  scheduler)  [11], 

3.3.7  Summary 

Performing  Volatility  process  listings  and  analysis  has  shown  that  thus  far,  the  only  issue  of  note 
is  a  suspicious  process  found  with  name  ?GQ  ???  (with  an  unidentified  PID),  using  both  the 
lima _psxview  and  linux _pidhashtable  plugins.  Since  attempts  to  dump  this  “process”  have  failed, 
and  given  the  information  obtained  about  it  using  the  aforementioned  plugins,  it  is  very  likely  that 
it  is  in  fact  not  a  process  but  junk  residing  in  memory.  This  would  seem  to  be  the  logical 
conclusion  to  draw  based  on  the  available  facts.  However,  further  analyses  of  the  memory  image 
are  still  required. 

Although  nothing  significant  has  been  thus  far  established,  the  use  of  process  listing  and  process 
scanning  plugins  is  an  important  step  in  any  memory  investigation  that  should  not  be  skipped  as 
malware  may  leave  behind  indications  of  its  presence.  Each  of  the  plugins  presented  in  this  step 
has  the  ability  to  provide  clues  or  contextual  information  concerning  the  relationship  between  the 
various  detailed  processes  and  threads. 

3.4  Step  4:  Volatility  history  listing  and  system  shells 

In  this  step,  various  command  shell  listing  plugins  will  be  used  to  attempt  to  identify  pertinent 
shell  histories. 
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3.4.1  Plugin  linuxbash 

This  particular  plugin  searches  a  memory  image  for  command  shell  histories,  similar  to 
Volatility’s  Windows-based  command  history  plugins.  This  is  a  brute  force  plugin  in  that  it  scans 
the  entire  memory  image  for  signs  of  shell  histories  and  as  such  may  output  erroneous 
information  [10,  12]. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_bash  -A 

Running  with  the  -A  option  can  help  ensure  that  all  processes  are  scanned  for  shell  history 
information,  but  it  can  take  many  hours  to  process  a  large  memory  image.  It  is  also  possible  that 
the  plugin  will  crash  when  used  with  this  option.  However,  the  option  is  useful  because  attackers 
may  have  copied  the  shell  program  (i.e.  bash )  to  another  name  (i.e.  /tmp/hsab)  and  ran  it  to 
circumvent  the  manual  detection  of  shell  histories  in  memory.  Tests  have  found  that  the  same 
amount  of  information  was  identified  when  the  plugin  was  used  without  the  option.  Of  course, 
mileage  will  vary. 

In  a  typical  investigation,  there  could  be  hundreds  or  even  thousands  of  lines  of  shell  history  to  go 
over.  Typically,  after  a  system  reboot,  pre-existing  shell  histories  will  no  longer  be  recoverable 
from  memory;  this,  of  course,  is  only  a  rule  of  thumb  and  there  are  times  when  pre-reboot  data 
will  remain  intact  in  memory  for  recovery. 

Relevant  output  generated  by  the  plugin  is  listed  in  Table  6. 


Table  6:  Pertinent  plugin  output  for  linuxbash  (pruned  and  sorted  chronologically). 


PID 

Name 

Command  Time 

Command 

1692 

bash 

2014-05-16  16:51:07  UTC+0000 

mkdir  /media/malware  ;  mount  -t 
vboxsf  Rootkits  /media/malware 

1692 

bash 

2014-05-16  16:51:49  UTC+0000 

cd  /media/malware/ 

1692 

bash 

2014-05-16  16:52:01  UTC+0000 

mount  -t  vboxsf  Rootkits 
/media/malware 

1692 

bash 

2014-05-16  16:52:05  UTC+0000 

cd  /media/malware/ 

1692 

bash 

2014-05-16  16:52:17  UTC+0000 

cd  1VYL/ 

1692 

bash 

2014-05-16  16:52:19  UTC+0000 

cd  rootkit-master/ 

1692 

bash 

2014-05-16  16:53:10  UTC+0000 

insmod  *.ko 

1692 

bash 

2014-05-16  16:53:20  UTC+0000 

cat  /proc/rtkit 

While  the  above  shell  history  information  does  show  that  data,  possibly  a  rootkit  source  code  was 
copied  over  from  the  host  system  to  the  guest  VM  system,  a  driver  was  also  likely  loaded  into 
memory.  This  driver,  as  far  as  it  is  known,  is  the  rootkit  in  question  and  the  final  command  in  the 
table  attempts  to  query  a  new  kernel  structure  for  more  information  (see  Section  1.6). 
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However,  an  attacker’s  shell  command  histories  will  not  be  retrievable  in  every  case.  Moreover, 
in  a  real-world  scenario,  one  would  not  expect  to  find  remnants  of  a  shared  VM  folder  in  memory 
or  the  files/directories  contained  therein. 

3.4.2  Plugin  linuxbashenv 

This  new  plugin  has  the  ability  to  find  various  environment  variables  used  by  a  command  line  shell. 
As  such,  this  plugin  has  the  potential  to  provide  important  clues  concerning  an  attacker’s  actions 
against  a  suspect  system. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_bash_env 

Environment  variables  were  only  identified  for  P1D  1556.  What  was  identified  for  P1D  1692  in 
the  table  below  is  a  command,  not  an  environment  variable.  Careful  analysis  of  this  plugin’s 
output  has  revealed  that  nothing  of  use  or  importance  could  be  found  within  the  output  listed  in 
Table  7.  In  fact,  the  dd  command  listed  as  a  bash  shell  environment  variable  is  a  left  over  remnant 
from  a  previous  session  of  this  VM. 


Table  7:  Plugin  output  for  linuxbashenv. 


PID 

Name 

Variables 

1556 

bash 

ORBIT_SOCKETDIR=/tmp/orbit-richard  SSH_AGENT_P1D=13 19 
TERM=xterm  SHELL=/bin/bash 

XDG  SESSION  COOKIE=777b901babad8d3f6a4b67c  100000005- 
1400258888.726668- 1 94 1 620 1 34  W1ND0W1D=629 14598 

GN  OMEKEY  R1N  G_C  ONTROL=/tmp/keyring-nLdr  W  W 

GTK  MODULES=canberra-gtk-module  USER=richard 

LS  COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:b 

d=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42: 

ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;3 

l:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*. 

Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01; 

31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;3 

l:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:* 

.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;3 

5:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01; 

35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov= 

01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:* 

.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;3 

5:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01; 

35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*. 

yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35: 
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PID 

Name 

Variables 

*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36 

:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00; 

36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36: 

SSH_AUTH_SOCK=/tmp/keyring-nLdrWW/ssh 

SESSION  MANAGER=locaEubuntu-64:@/tmp/.ICE-unix/1252,unix/ubuntu- 
64  :/tmp/.  1C E-unix/ 1252  USERNAME=richard 

DEFAU  LT  S  P  ATH=/usr/share/gconf/  gnome .  default  .path 
XDG_CONFlG_DlRS=/etc/xdg/xdg-gnome:/etc/xdg 
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games 
DESKTOP  SESS10N=gnome  PWD=/home/richard 

GDM  KEYBOARD  LAYOUT=us  GNOME  KEYRING  P1D=1233 
LANG=en_US.UTF-8  GDM  L AN G=en_U S .utf8 

MANDATORY  PATH=/usr/share/gconf/gnome.mandatory.path 

UBUNTU  MENUPROXY=libappmenu.so 

COMP1Z  CONFIG  PROF lLE=ubuntu  GDMSESS10N=gnome  SHLVL=1 
HOME=/home/richard  LAN GUAGE=en  US:en 

GN0ME_DESKT0P_SESS10N_lD=this-is-deprecated  LOGNAME=richard 
XDG  DATA  DlRS=/usr/share/gnome:/usr/local/share/:/usr/share/ 

DBUS  SESSION  BUS  ADDRESS=unix:abstract=/tmp/dbus- 
lc5rG8LUrV,guid=86fedcl  1 154cd310d59c936b0000002e  LESSOPEN=| 
/usr/bin/lesspipe  %s  W1ND0WPATH=7  D1SPLAY=:0 
LESSCLOSE=/usr/bin/lesspipe  %s  %s  COLORTERM=gnome-terminal 
XAUTE10RITY=/var/run/gdm/auth-for-richard-TyTFyT/database  =/bin/su 

1692 

bash 

dd  if=/dev/fmem  of=fmem.dd  bs=lK  count=800000 

3.4.3  Plugin  linux  psenv 

This  plugin  is  used  to  identify  which  environment  variables  and  system  shell  were  inherited  or 
attributed  to  the  various  processes  at  their  moment  of  instantiation. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_psenv  |  tr  "\"  "\n"  |  grep  SHELL 

The  output  from  this  plugin  is  not  shown,  as  it  contained  no  relevant  information.  Furthermore, 
all  of  the  shell  variables  found  within  the  output  all  used  bash  as  their  system  shell,  as  per  the 
various  processes’  environment  variable  settings  (i.e.  SHELL=/bin/bash). 
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3.4.4  Plugin  linux_bash_hash 

This  new  and  unique  plugin  recovers  the  bash  hash  table  kept  in  memory  by  the  bash  command 
line  shell.  Bash  uses  a  hash  table  to  keep  track  of  commands  and  the  number  of  times  they  were 
run.  This  plugin  also  provides  the  -A  command  line  parameter  which  is  used  to  scan  the  entire 
memory  image  for  additional  hash  tables.  Again,  in  so  doing,  if  the  memory  image  is  too  large  the 
plugin  could  crash  or  take  a  very  long  time  to  run. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_bash_hash 

The  plugin  was  originally  run  with  the  -A  but  it  crashed  instead  of  producing  useable  results. 
Thus,  the  command  was  rerun  without  -A  which  produced  the  results  shown  in  Table  8. 


Table  8:  Plugin  output  for  linuxbashhash. 


Pid 

Name 

Hits 

Command 

Full  Path 

1692 

bash 

2 

umount 

/bin/umount 

1692 

bash 

3 

df 

/bin/df 

1692 

bash 

4 

cat 

/bin/cat 

1692 

bash 

4 

mount 

/bin/mount 

1692 

bash 

1 

insmod 

/sbin/insmod 

1692 

bash 

3 

mkdir 

/bin/mkdir 

1692 

bash 

12 

Is 

/bin/ls 

1692 

bash 

1 

mesg 

/usr/bin/mesg 

Upon  a  thorough  examination  of  the  above  listed  output,  the  only  truly  interesting  command  is 
insmod,  which  was  su  ’ed  into  by  the  logged  in  user.  We  know  this  command  is  running  under  su 
as  based  on  the  output  from  the  linux _psaux  plugin. 

This  command  is  used  to  load  kernel  modules  (or  drivers)  into  kernel-space.  Thus,  something  was 
likely  loaded,  unless  said  loading  failed,  for  which  information  is  not  currently  available. 

3.4.5  Summary 

Performing  Volatility  history  listing  and  system  shells  has  demonstrated  that  searching  for  shell 
command  histories  can  produce  rewards,  especially  if  a  system’s  memory  is  acquired  within  a 
few  hours  of  compromise  (or  possibly  more  if  the  system  is  quiescent). 

However,  both  what  is  recovered  and  its  pertinence  can  vary  greatly  between  investigations  and, 
as  such,  investigators  and  incident  handlers  must  remember  that  these  bash- based  plugins 
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represent  only  one  small  piece  of  the  analysis.  These  plugins  rely  on  the  bash  shell,  which  is  not 
always  the  system  or  user  default  shell;  thus,  these  plugins  do  have  their  limits. 

In  using  these  four  plugins,  only  the  linux  bash  and  linuxbashhash  plugins  found  evidence  of 
commands  used  for  the  loading  of  a  potential  rootkit.  At  least,  these  commands  are  suspicious  in 
a  day-to-day  environment —  normal  users  should  not  use  them. 

3.5  Step  5:  Volatility  file  detection  and  dumping 

In  this  step,  various  plugins  will  be  used  to  attempt  to  isolate  and  dump  important  or  suspicious 
files  for  further  analysis. 

3.5.1  Plugin  linuxjsof 

This  plugin  lists  all  open  files,  sockets,  pipes,  directories  and  other  objects  that  the  system 
currently  has  open  for  a  given  process,  a  list  of  processes,  or  all  processes.  This  plugin  functions 
similarly  to  the  UNIX/Linux  command  Isof,  however,  it  does  not  in  any  way  list  the  same  number 
of  files  or  details  as  the  real  Isof  command  does.  For  example,  a  typical  Linux  system  running 
with  X  Windows  will  have  at  least  several  thousand  more  open  filesystem  objects6.  However,  in 
using  this  plugin,  it  is  likely  that  less  than  half  of  these  will  actually  be  open. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linuxjsof 

Correlating  the  output  from  this  plugin  against  those  from  the  linux _psaux  and  linux _psxview 
plugins  resulted  in  no  actionable  information  or  additional  clues  about  the  underlying  infection. 
Moreover,  this  plugin  does  not  have  the  ability  to  provide  information  concerning  hidden 
processes  and  rootkits.  The  plugin  succeeded  in  identifying  1,336  objects.  After  going  over  this 
output,  nothing  suspicious  could  be  found  therein  (e.g.  /proc/rtkit). 

3.5.2  Plugin  linux  dentry  cache 

This  plugin  recovers,  files  from  the  active  mount  point  of  each  filesystem  in  memory,  assuming 
they  are  still  resident  in  memory  or  have  not  been  paged  out.  Apparently,  the  plugin  also  has  the 
ability  to  recover  deleted  files  from  copies  in  memory,  assuming  the  aforementioned 
caveats  [10,  12], 

The  reason  this  plugin  does  not  work  is  that  it  supports  SLAB-only  based  kernels,  not 
SLUB-based  kernels  [4,  5,  6], 


6  This  test  was  carried  out  on  the  infected  VM  after  memory  acquisition  using  the  command  "Isof  |  we  -1”. 
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3.5.3  Plugin  linux_enumerate_files 

This  plugin  is  used  to  list  the  various  files  referenced  by  the  filesystem  cache,  both  those  from  the 
actual  disk  filesystem(s)  and  the  kernel’s  pseudo-files.  However,  the  vast  majority  of  the  disk-based 
files  referenced  therein  will  not  actually  reside  within  the  cache  itself  unless  the  cache  is 
extraordinarily  large  and  fresh,  perhaps  being  found  only  on  very  large  memory  systems 
(64+  GiB  RAM). 

Nevertheless,  this  plugin  often  times  has  the  ability  to  enumerate  far  more  files  than  the  linuxjsof 
plugin;  as  such,  it  should  be  used  when  the  latter  fails  to  find  anything  of  interest. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_enumerate_files 

The  plugin  did  not  succeed  in  locating  /proc/rtkit  or  evidence  of  the  rootkit  within  the  disk-based 
portion  of  the  filesystem  cache.  However,  it  did  find  evidence  of  the  rootkit’ s  source  code  files, 
compiled  kernel  module  and  ZIP  archive  from  the  VirtualBox  host-shared  folder.  However,  the 
reader  should  not  take  these  into  consideration  as  the  virtual  machine’s  memory  was  imaged 
immediately  after  infection,  something  which  will  almost  never  happen  in  the  real-world,  where 
infections  are  only  found  hours,  days  and  sometimes  weeks  (or  even  months)  after  the  fact.  Also, 
these  were  found  on  a  VM  shared  folder,  not  something  likely  to  be  found  in  a  real-world  situation. 

3.5.4  Plugin  linux_kernel_opened_files 

This  new  plugin  is  used  to  list  files  and  other  filesystem  objects  that  are  opened  or  used  from 
within  the  kernel  itself,  somewhat  similar  to  plugin  linuxjsof. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_kernel_opened_files 

The  plugin  appears  to  have  worked  as  it  emitted  no  errors,  but  it  generated  no  output.  Thus,  it  can 
only  be  concluded  that  it  either  did  not  work  and  generated  no  errors  or  worked  but  found  nothing 
(or  there  was  nothing  to  report).  This  is  in  contrast  to  report  [9]  where  the  plugin  failed  and 
emitted  an  error  likely  caused  by  a  missing  Python  library  or  Volatility  dependency. 

3.5.5  Plugin  linux  proc  maps 

This  very  powerful  plugin  can  be  used  to  learn  important  information  about  the  underlying 
system  as  a  whole  or  about  one  or  more  specific  processes.  Specifically,  this  plugin  is  used  to 
identify  process  metadata  including  the  name  and  location  of  running  processes,  shared  libraries, 
stacks,  inodes  and  memory  address  ranges. 

The  plugin  was  run  using  the  following  commands: 
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$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_proc_maps  |  tail  -n  +3  >  proc_maps.txt 

$  cat  proc_maps.txt  |  awk  '{print  $9}'  |  sort  |  uniq  >  proc_maps_2.txt 

The  first  command  uses  tail  to  remove  the  first  two  lines  of  output  that  is  appended  by  Volatility, 
which  is  then  redirected  to  file  proc_maps.txt.  The  second  command  reduces  the  plugin’s  15,162 
lines  of  output  to  a  manageable  566.  The  sort  utility  sorts  all  output  generated  by  the  second 
command  alphanumerically  while  the  uniq  utility  removes  all  duplicate  lines  of  output.  Although 
the  new  output  is  far  shorter  than  the  original  output,  it  is  still  too  lengthy  to  include  herein. 

After  analysing  the  shorter  output,  nothing  out  of  the  ordinary  was  found. 

3.5.6  Plugin  linux  proc  maps  rb 

This  plugin  is  the  same  as  the  lima _proc_maps  plugin  except  that  it  relies  on  the  kernel’s  red-black 
process  mapping  structure.  Exactly  what  that  is  or  how  it  works  is  outside  the  scope  of  this  work 
as  it  deep-dives  into  kernel  structures.  It  is  another  technique  for  attempting  to  identify  process 
metadata  including  the  name  and  location  of  running  processes,  shared  libraries,  stacks,  inodes 
and  memory  address  ranges. 

The  plugin  was  run  using  the  following  commands: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_proc_maps_rb  |  tail  -n  +3  > 
proc_maps_rb.txt 

$  cat  proc_maps_rb.txt  |  awk  '{print  $9}'  |  sort  |  uniq  >  proc_maps_rb2.txt 

The  plugin  has  reproduced  the  same  exact  output  as  generated  by  the  lima _proc_maps  plugin, 
thus  no  further  analysis  will  be  detailed  herein. 

3.5.7  Plugin  linux_find_file 
3. 5.7.1  Running  the  plugin 

This  particular  plugin  can  be  used  to  not  only  dump  pre-identified  files  from  the  memory  image 
(using  information  obtained  from  other  plugins)  but  it  can  also  list  all  filesystem  objects  with  an 
open  handle  in  memory.  It  will  often  list  far  more  objects  than  lima _proc_maps  or  linuxlsof 
However,  it  works  differently  than  lima _proc_maps  and  linuxjsof  do  .  Thus,  when  seeking  out 
abnormal  libraries  and  process  names,  plugin  linux  lsof  should  be  used  first,  followed  by 
lima _proc_maps  then  lima _Jind Jile. 

The  output  of  the  lima  Jind  Jile  plugin  lists  not  only  the  inode  number  and  memory  reference  but 
also  provides  the  full  name  of  the  filesystem  object  with  the  open  handle.  This  plugin  provides 
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useful  information  that  can  be  used  to  readily  dump  one  or  more  objects  from  the  memory  image, 
but  only  if  they  are  cached  in  memory. 

However,  this  plugin  is  not  designed  for  at  large  data  recovery  of  cached  filesystem  objects  held 
within  the  memory  image.  For  that,  the  linux  recover Jilesy stem  plugin  should  be  used.  Also,  not 
every  file  with  a  handle  in  memory  can  be  recovered  from  the  memory  image,  as  that  file  may  not 
currently  reside  within  the  filesystem  cache. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_find_file  -L  >  find_files.txt 

Text  file  find Jiles.txt  contained  a  listing  of  14,495  unique  filesystem  objects.  Unless  actionable 
intelligence  was  made  available  from  one  of  the  previous  plugins  (which  it  was  not),  this  list  of 
objects  will  have  to  be  examined  manually  to  search  for  anomalies.  Such  a  task  may  take  several 
hours  to  thoroughly  inspect.  Looking  for  anomalies  when  one  does  not  know  Linux  very  well  is 
very  difficult,  and  sometimes  just  not  possible. 

While  examining  the  plugin’s  output,  various  files  including  multiple  open  source  rootkit 
packages,  were  found  atop  /media/malware,  the  mounted  VirtualBox  shared  connection  used  to 
transfer  the  rootkit’ s  source  code  to  the  underlying  virtual  machine.  What  the  reader  should  be 
concentrating  on  while  examining  this  plugin’s  output  are  the  files  that  are  directly  related  to  this 
investigation  because  these  types  of  shares  (containing  malware)  will  most  likely  not  be  found  in 
a  real-world  situation. 

However,  for  the  sake  of  understanding  how  this  plugin  functions  with  respect  to  64-bit  inodes 
(the  previous  Linux  memory  analysis  reports  examined  32-bit  Linux  systems),  the  information 
obtained  from  this  plugin  can  be  found  in  Table  9. 


Table  9:  Plugin  output  for  linux  Jind Jile 

(suspicious  objects  from  the  mounted  virtual  machine  share;  sorted  by  Inode  Number). 


Inode 

Number 

Inode 

File  Path 

Dumpable 

18 

0xffff8801 151M300 

/media/malware/ubuntu/lVYL/rootkit- 

master.zip 

No 

20 

0xffff8801 14485c80 

/media/malware/ubuntu/IVYL/rootkit- 

master/rt.o 

No 

21 

0xffff8801 147bc4c0 

/media/malware/ubuntu/IVYL/rootkit- 

master/.gitignore 

No 

22 

0xffff880036a76720 

/media/malware/ubuntu/IVYL/rootkit- 

master/Module.symvers 

No 

23 

0xffff88010a284000 

/media/malware/ubuntu/IVYL/rootkit- 
master/polis  paper.tex 

No 

24 

0xffff8801 151bla20 

/media/malware/ubuntu/lVYL/rootkit- 

master/rt.ko 

No 

26 
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Inode 

Number 

Inode 

File  Path 

Dumpable 

25 

0xffff880036998000 

/media/malware/ubuntu/IVYL/rootkit- 
master/ modules .  order 

No 

26 

0xffff880036998260 

/media/malware/ubuntu/IVYL/rootkit- 

master/rt.mod.c 

No 

27 

0xffff8800369984c0 

/media/malware/ubuntu/IVYL/rootkit- 

master/.rt.mod.o.cmd 

No 

28 

0xffff880036998720 

/media/malware/ubuntu/IVYL/rootkit- 
master/RE  ADME .  md 

No 

29 

0xffff880036998980 

/media/malware/ubuntu/IVYL/rootkit- 

master/.rt.o.cmd 

No 

30 

0xffff880036998be0 

/media/malware/ubuntu/IVYL/rootkit- 

master/rt.mod.o 

No 

31 

0xffff880036998e40 

/media/malware/ubuntu/IVYL/rootkit- 

master/.rt.ko.cmd 

No 

32 

0xffff8800369990a0 

/media/malware/ubuntu/IVYL/rootkit- 
master/.tmp  versions 

No 

N.B.:  The  fourth  column  was  added  by  the  author  and  is  not  part  of  the  plugin’s  output.  The  “Dumpable” 
column  is  based  on  the  results  obtained  in  Section  3. 5. 7. 2. 


These  files  have  the  distinct  look  of  an  installation  package  (with  source  code)  for  a  Linux  rootkit. 
However,  none  of  them  was  recoverable,  as  was  the  case  for  report  [9]  where  the  various  source 
code-compiled  *.so  files  were  completely  recovered.  Nevertheless,  even  had  any  been 
recoverable,  they  would  not  likely  be  found  in  a  real-world  investigation  as  having  come  from  a 
VM  shared  folder. 

Nevertheless,  the  commands  used  to  attempt  memory-based  file  recovery  would  be: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu  1104  IVYL.mem  linux  find  file -i  0xffff8801151bla20 -0  rt.ko 


$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_find_file  -i  0xffff8801151bl300  -0  rootkit- 
master.zip 

In  all,  it  was  attempted  to  recover  17  files  in  total,  including  source  code  and  other  data  files. 
However,  not  a  single  one  was  recovered. 

3.5.8  Plugin  linux_recover_filesystem 

This  very  powerful  plugin  can  recreate  the  filesystem  based  on  the  contents  of  the  memory 
image’s  filesystem  cache.  All  modem  Linux  systems  use  such  a  cache  although  the  amount  of 
memory  dedicated  to  such  a  cache  can  be  configured. 
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Running  this  plugin  can  take  many  hours,  depending  on  various  factors,  including  the  size  of  the 
memory  image,  the  source  and  destination  disks’  speed,  whether  the  source  and  destination  disk 
are  the  same  disk,  etc.  In  this  case,  using  the  same  disk  for  both  source  and  destination,  it  took 
approximately  3  hours  to  recover  the  filesystem  cache.  This  is  the  only  Linux  plugin  examined 
herein  which  requires  being  run  as  root.  Many  of  the  files  written  back  to  disk  have  root-specific 
permissions  that  cannot  be  handled  by  a  non-root  user.  Extended  filesystem  attributes  are  not 
preserved  when  the  plugin  is  recovering  the  data  from  the  filesystem  cache. 

The  plugin  was  run  using  the  following  command: 

$  mkdir  recove  r_fs 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_recover_filesystem  -D  recover_fs 

The  plugin  succeeded  in  recovering  1 1,537  files  and  2,885  directories  for  a  total  of  approximately 
5,170,423,398  (4.93  GiB)  of  consumed  disk  space  within  directory  recover Js.  This  was  odd 
since  the  total  allocated  memory  to  the  virtual  machine  was  4  GiB.  Further  investigation  revealed 
that  the  mounted  shared  directory  from  the  host  system,  /media/malware,  was  consuming  most  of 
this  space.  Therein,  a  copy  of  the  uninfected  memory  dumpfile  ubuntul  104_base.mem  was 
found  consuming  4,433,464,300  bytes  (4.13  GiB).  However,  its  SHA1  hash  was  not  at  all  the 
same  indicating  that  this  file  was  no  longer  the  same  (see  Section  1.7.1);  further  analysis  revealed 
that  this  file  was  completely  empty. 

No  evidence  of  the  disk-based  rootkit  (e.g.  /proc/rtkit,  /rootkit),  its  source  code,  ZIP  archive  or 
compiled  kernel  module  could  be  found  within  directory  recover  Js. 

3.5.9  Summary 

Performing  Volatility  file  detection  and  dumping  has  demonstrated  that  this  rootkit,  which  has 
the  ability  to  modify  both  proofs  and  readdir  calls  (see  Section  1.4),  apparently  has  the  ability  to 
hide  itself  from  all  file  listing  and  related  dumping  plugins. 

What  was  found  concerning  the  rootkit  infection  was  limited  to  the  virtual  machine  share  set  up 
between  the  VM  and  host  system  to  transfer  the  rootkit’ s  ZIP  archive  to  the  VM  for  compilation 
and  infection.  While  the  files  from  this  share  were  visible,  they  were  not  dumpable.  Again,  in  a 
real-world  situation,  it  is  unlikely  that  an  investigator  or  incident  handler  would  be  fortunate 
enough  to  find  all  this  information  still  readily  available  in  a  system’s  captured  memory. 

Nevertheless,  in  going  over  the  various  possible  file  listing  and  related  dumping  plugins,  it  was 
possible  to  assess  the  various  capabilities  of  Volatility,  which  in  the  opinion  of  the  author,  are 
quite  remarkable. 

Finally,  one  plugin  which  was  not  listed  in  this  step  but  which  was  experimented  with  was  the 
linux  tmpfs  plugin,  which  was  found  to  be  non-functional  atop  both  Fedora  17  and  21. 
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3.6  Step  6:  Volatility  kernel-specific  analyses 


In  this  step,  various  plugins  will  be  used  to  attempt  to  identify  the  presence  of  a  kernel-level 
rootkit  using  kernel-specific  Volatility-based  checks. 

3.6.1  Plugin  linuxjsmod 

This  plugin  lists  all  visible  Linux  kernel  modules  running  on  the  system,  similar  to  the  Linux 
Ismod  command.  Unlike  Ismod,  this  plugin  provides  the  base  address  for  every  detected  kernel 
module. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linuxjsmod 

This  resulted  in  the  modules  listed  in  Annex  B.7.  The  -P  parameter  can  be  used  to  list  all 
specified  module  input  parameters.  The  -S  parameter  can  be  used  to  list  all  memory  areas  used  by 
a  given  kernel  module.  Looking  at  the  output,  nothing  appears  out  of  the  ordinary.  All  the  kernel 
modules  listed  appear  legitimate. 

3.6.2  Plugin  linux  check  modules 

This  powerful  plugin  performs  kernel  module  differencing,  looking  for  inconsistencies  between 
the  different  kernel  module  lists.  It  compares  the  information  reported  by  kernel  structure 
/proc/modules  against  /sys/modules.  Through  this  plugin,  it  may  be  possible  to  corroborate  the 
results  of  the  linux hidden  modules  plugin  (next  section). 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_hidden_modules 

This  plugin  took  several  minutes  to  complete  but  did  not  succeed  in  finding  any  pertinent 
information.  Thus,  it  appears  that  this  rootkit  has  the  ability  to  hide  from  both  /proc/modules  and 
/sys/modules,  something  not  commonly  seen  in  Linux  rootkits. 

3.6.3  Plugin  linux_hidden_modules 

This  plugin  finds  hidden  kernel  modules  that  have  been  unlinked  from  the  list  of  modules.  The 
plugin  scans  the  entire  memory  image  for  LKM  structures  and  then  compares  this  information 
against  the  list  of  reported  modules  [10,  12].  This  is  a  highly  useful  plugin  as  it  can  reveal 
information  about  hard  to  detect  rootkits.  Although  the  linux  check  modules  plugin  also  has  the 
ability  to  detect  hidden  kernel  modules,  they  work  through  vastly  different  mechanisms. 

The  plugin  was  run  using  the  following  command: 
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$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_hidden_modules 

This  plugin  succeeded  in  finding  a  hidden  kernel  module  named  rt  at  offset  0xffffffffa02bf020. 

Interestingly,  the  suspicious  module’s  name  is  the  same  as  the  loaded  rootkit  (; rt.ko ;  see 
Section  1.6).  The  detected  module  should  be  dumpable  using  linuxmoddump. 

3.6.4  Plugin  linux  moddump 

The  linux  moddump  program  is  very  similar  to  its  Windows  counterpart,  moddump.  Both 
versions  of  this  plugin  have  the  ability  to  dump  all  visible  kernel  modules  (device  drivers  for 
Windows).  Furthermore,  both  plugins  have  the  ability  to  dump  hidden  modules  (drivers)  if  a  base 
address  is  specified.  Thus,  if  there  are  indications  of  kernel-level  malware  activity  and  the  module 
is  not  hidden,  or  at  least  a  base  address  is  known,  the  investigator/incident  handler  can  dump  it. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_moddump  -b  0xffffffffa02bf020  -D  . 

The  plugin  created  dumpfile  rt.0xffffffffa02bf020.lkm,  with  a  file  size  of  2,691,898  bytes 
(2.56  MiB)  and  a  SHA1  hash  of  AE631B095A23F5145037821 1B8AA60237631CC6B.  This  file 
is  much  larger  than  the  original  compiled  rootkit,  rt.ko,  found  in  Section  1.6. 

A  detailed  strings  analysis  of  the  dumpfile  reveals  that  this  file  is  in  fact  the  rootkit  but  that  it  also 
contains  other  memory  residue,  some  of  it  very  likely  leftovers  from  other  processes,  threads,  or 
modules.  Although  the  rootkit  module  was  successfully  dumped,  it  is  not  as  it  should  have  been 
as  it  should  have  been  equal  in  both  size  and  hash  value  to  the  actual  rootkit  module,  as  the  plugin 
is  supposed  to  recreate  the  missing  ELF  header  and  properly  aligns  the  pages.  As  such,  further 
analyses  will  be  conducted  against  this  memory  image  to  establish  if  additional  indicators  of 
compromise  can  be  ascertained. 

3.6.5  Plugin  linux  check  fop 

An  interesting  plugin,  it  is  used  to  verify  if  there  are  hooks  in  the  kernel  with  respect  to  opened 
files  and  validates  that  each  file’s  file  operation  structure  is  intact.  When  a  potential  hook  is 
discovered,  the  plugin  will  generate  output  [10], 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_check_fop 

Running  this  plugin  produced  788  lines  of  output  that  can  be  found  in  Annex  B.8.  Looking  at  that 
output,  it  is  evident  that  this  rootkit  has  hooked  many  instances  of  readdirQ. 
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3.6.6  Plugin  linuxchecksyscall 

This  plugin  searches  a  memory  image  for  hooked  system  calls  (syscalls).  If  the  plugin  detects 
something,  it  will  print  HOOKED  followed  by  the  expected  system  call  [10]. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_check_syscall 

Running  the  plugin  resulted  in  no  hooked  system  calls.  This  could  be  because  there  are  none  or 
because  the  rootkit  successfully  hid  them. 

3.6.7  Plugin  linuxcheckafinfo 

This  plugin  validates  two  network  protocol-specific  kernel  structures,  file  operations  and 
sequence  operations  against  kernel  structures  tcp6_seq_afinfo,  tcp4  _seq_afinfo, 
udp6_seq_afinfo,  udp4  _seq_afinfo,  udplite6_seq_afinfo  and  udplite4_seq_afinfo.  Essentially,  this 
plugin  attempts  to  determine  if  any  of  these  structures  have  been  tampered  with  [10]. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_check_afinfo 

The  plugin  did  not  provide  any  output  thereby  indicating  that  no  abnormalities  had  been  detected. 

3.6.8  Summary 

Performing  Volatility  kernel-specific  analyses  has  demonstrated  that  some  of  the  various 
kernel-specific  plugins  have  positively  identified  that  a  rootkit  is  at  work.  Specifically,  the 
linwc  hidden  modules  and  linux  check  Jop  plugins  have  found  clear  evidence  of  rootkit  infection 
while  plugin  linux  moddump  was  used  to  dump  the  rootkit  module  to  disk. 

Interestingly,  the  linux  hidden  modules  and  linux  check  modules  were  not  able  to  corroborate 
one  another,  as  they  typically  do.  Thus,  it  must  be  concluded  that  this  rootkit  has  the  ability  to 
modify  the  results  from  kernel  pseudo-file  /sys/modules,  which,  when  compared  against 
/proc/modules,  should  have  yielded  some  indication  of  rootkit  infection. 

The  other  plugins,  linwc  lsmod,  linux  check  syscall  and  linux  check  afinfo,  did  not  find  any 
additional  indications  of  rootkit  activity. 

Finally,  while  the  module  dumped  to  disk  was  identified  as  the  rootkit  containing  the  same  strings 
as  the  compiled  rootkit,  the  memory-dumped  version  was  much  larger  as  we  were  expecting  the 
plugin  to  correctly  dump  only  the  LKM. 
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3.7  Step  7:  Volatility  network-specific  plugins 

This  step  will  examine  the  use  of  various  network-based  plugins  as  they  pertain  to  this 
investigation. 

3.7.1  Plugin  linuxroutecache 

This  plugin  produces  information  concerning  the  system’s  routing  cache,  which  includes  both 
ongoing  and  recently  terminated  communications.  This  plugin  also  lists  additional  information 
including  the  underlying  system’s  IP  address  and  various  gateway  addresses  in  use,  which  could 
be  modified  by  certain  malware  to  avoid  detection. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_route_cache  |  sort  |  uniq 

The  information  presented  in  Table  10  does  not  accurately  reflect  the  various  IP  addresses 
attributed  to  the  infected  virtual  machine.  The  actual  IP  address  of  the  virtual  machine  is 
10.0.2.15,  which  is  incorrectly  attributed  to  interface  lo ,  but  which  should  be  allocated  to  interface 
ethO.  The  gateway  address,  10.0.2.2,  is  correct  as  the  virtual  machine  was  configured  to  use  NAT. 
However,  the  IP  address  of  the  host  system,  192.168.0.102,  is  not  found  herein,  which  is  normal, 
as  this  address  does  not  have  an  actual  impact  on  the  virtual  machine’s  network  routing  table.  The 
host  system’s  DSL  router’s  address  was  192.168.0.1,  which  was  the  gateway  address  for 
accessing  the  Internet.  Finally,  addresses  91.189.89.199  and  91.189.94.4,  upon  having  looked 
them  up,  are  both  attributable  to  Canonical  Ltd7. 

Table  10:  Plugin  output  for  linuxroutecache  (sorted  by  interface). 


Interface 

Destination 

Gateway 

ethO 

91.189.89.199 

10.0.2.2 

ethO 

91.189.94.4 

10.0.2.2 

ethO 

192.168.0.1 

10.0.2.2 

lo 

10.0.2.15 

10.0.2.15 

lo 

127.0.0.1 

127.0.0.1 

Thus,  appropriate  context  is  required  to  make  sense  of  this  plugin’s  output. 

3.7.2  Plugin  linux_netstat 

This  plugin  performs  the  equivalent  of  the  UNIX/  Linux  netstat  command  in  that  it  is  used  to  print 
information  concerning  network  connections  (the  actual  netstat  command  does  far  more). 

The  plugin  was  run  using  the  following  command: 


7  Canonical  is  the  maker  of  Ubuntu  Linux. 
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$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_route_cache  linux_netstat -v  |  grep -P 
'(TCP  |  UDP)' 

The  information  revealed  by  the  output  shown  in  Table  1 1  indicates  that  there  is  nothing  out  of 
the  ordinary  going  on  with  respect  to  network  communications.  Running  the  plugin  without  the 
grep  statement  also  revealed  nothing  out  of  the  ordinary. 


Table  11:  Plugin  output  for  linuxnetstat  for  TCP/UDP  ( sorted  by  Type  and  Socket/Inode). 


Type 

Socket  / 
Inode 

Process 

Associated  disk-based  file 

UDP 

o.o.o.o 

:  5353  O.O.O.O 

:  0  avahi-daemon/446 

UDP 

5353  :: 

0  avahi-daemon/446 

UDP 

o.o.o.o 

36575  O.O.O.O 

0  avahi-daemon/446 

UDP 

41003  :: 

0  avahi-daemon/446 

UDP 

o.o.o.o 

68  O.O.O.O 

0  dhclient/523 

TCP 

::1 

631  :: 

0  LISTEN  cupsd/1017 

TCP 

127.0.0.1 

631  O.O.O.O 

0  LISTEN  cupsd/1017 

3.7.3  Plugin  linuxjist  raw 

This  new  Volatility  plugin  is  designed  to  list  all  processes  running  with  raw  (or  promiscuous) 
sockets,  which  can  be  helpful  in  determining  if  a  sniffer  or  other  possibly  malicious  service  (or 
daemon  or  malware)  was  active  atop  the  suspect  system. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_list_raw 

While  it  is  currently  unknown  if  the  system  DHCP  process  (dhclient)  shown  in  Table  12  should 
be  running  with  a  raw  socket,  it  does  not  in  itself  appear  to  be  malicious  in  nature. 


Table  12:  Plugin  output  for  linuxlistraw. 


Process 

PID 

File  Descriptor 

Inode 

dhclient 

523 

5 

7867 

3.7.4  Summary 

Performing  Volatility  network-specific  analyses  has  demonstrated  that  not  all  rootkits  and 
malware  take  advantage  of  Internet  facing  connections.  Plugin  linux_sk_buff  cache  was  not  used 
because  there  was  no  suspicious  communications  that  were  in  process  or  that  had  recently  ended. 
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There  was  no  point  in  running  plugin  linux  netfilter  as  there  was  no  firewall  running,  as  per  the 
kernel’s  list  of  loaded  modules  (see  Section  3.6.1  for  details).  There  was  also  little  reason  to  have 
believed,  at  least  in  the  author’s  opinion,  that  running  the  linux  arp  plugin  would  have  revealed 
any  additional  information  of  interest. 

The  plugins  used  in  this  step  have  not  been  able  to  identify  any  additional  information  pertinent  to 
this  investigation,  at  least  with  respect  to  the  network. 

3.8  Step  8:  Additional  checks 

This  step  will  run  additional  checks  to  search  for  injected  code,  credential  escalation  attacks  and 
indications  of  keylogger  activity  in  order  to  identify  certain  telltale  signs  of  some  rootkits. 

3.8.1  Plugin  linux  malfind 

This  new  plugin,  similar  to  the  Windows  version,  searches  memory  images  for  indications  of 
code  injection. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_malfind 

The  plugin  found  no  indication  of  injected  code  within  this  memory  image. 

3.8.2  Plugin  linux_check_creds 

This  plugin  is  used  to  check  for  processes  with  raised  privileges,  typical  of  certain  types  of 
rootkits. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_check_creds 

The  plugin  found  no  indication  of  process  elevation.  The  results  might  have  been  different  had 
the  rootkit’s  “root”  shell  been  invoked  (see  Section  1.7  for  details). 

3.8.3  Plugin  linuxapihooks 

This  plugin  is  used  to  check  for  API  hooking  [10,  12],  which  is  sometimes  known  as  inline 
hooking.  This  hooking  technique  is  used  by  various  malware  to  infect  a  system. 

The  plugin  was  run  using  the  following  command: 
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$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_apihooks 

This  plugin  was  found  to  be  non-functional,  at  least  atop  Fedora  17  and  21,  having  aborted  due  to 
an  obscure  Volatility  error. 

3.8.4  Plugin  linux_check_idt 

This  plugin  checks  a  memory  image  for  signs  of  hooking  in  the  system  Interrupt  Descriptor  Table 
(IDT)  [10,  12].  If  any  of  the  IDTs  appear  to  have  been  hooked,  the  plugin  will  issue  HOOKED  in 
lieu  of  the  expected  symbol  name. 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_check_idt 

The  information  in  Table  13  indicates  that  nothing  out  of  the  ordinary  has  occurred  to  the 
system  IDTs. 


Table  13:  Plugin  output  for  linuxcheckidt  (sorted  by  index). 


Index 

Address 

Symbol 

0x0 

0xffffffff8 1 00cc20 

divideerror 

0x1 

OxffffffffS  1 5  c3  3  60 

debug 

0x2 

0xffffffff8 1 5  c3  770 

nmi 

0x3 

0xffffffff8 1 5  c3  3  aO 

int3 

0x4 

0xffffffff8 1 00cc40 

overflow 

0x5 

OxffffffffS  1 00cc60 

bounds 

0x6 

OxffffffffS  1 00cc80 

invalidop 

0x7 

Oxffffffff'8 1  OOccaO 

device  not  available 

0x8 

0xffffffff8 1  OOcccO 

doublefault 

0x9 

Oxffffffff'8 1  OOccfO 

coprocessorsegmentoverrun 

Oxa 

0xffffffff8 1  OOcd  1 0 

invalidTSS 

Oxb 

0xffffffff8 1 00cd40 

segment  not_present 

Oxc 

0xffffffff8 1 5c3  3e0 

stack  segment 

Oxd 

0xffffffff815c3480 

general_protection 

Oxe 

0xffffffff8 1 5  c3  4b0 

pagefault 

Oxf 

0xffffffff8100cd70 

spuriousinterruptbug 

0x10 

0xffffffff8 1 00cd90 

coprocessorerror 
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Index 

Address 

Symbol 

0x11 

OxffffffffS  1  OOcdbO 

alignment  check 

0x12 

OxffffffffS  1 5c3  5 1 0 

machine  check 

0x13 

0xffffffff8 1  OOcdeO 

simdcoprocessorerror 

0x80 

OxffffffffS  1 048aa0 

ia32  system  call 

3.8.5  Plugins  for  keylogger  detection  (linuxchecktty  and 
linux_keyboard_notifiers) 

Both  plugins  can  be  used  to  help  identify  kernel-level  keyloggers  as  each  plugin  uses  a  different 
mechanism.  It  is  hoped  that  one  of  them  will  determine  if  a  keylogger  is  present  in  this  memory 
image  having  been  introduced  by  the  rootkit. 

The  following  commands  were  issued: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_check_tty 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 

ubuntu_1104_IVYL.mem  linux_keyboard_notifier 

The  information  in  Table  14  indicates  that  nothing  out  of  the  ordinary  has  occurred  to  the  system 
IDTs  while  plugin  linuxkeyboardnotifier  produced  no  output. 


Table  14:  Plugin  output  for  linuxchecktty  (sorted  by  tty). 


Name 

Address 

Symbol 

ttyl 

OxffffffffS  1386160 

n_tty_receive_buf 

tty2 

OxffffffffS  1386160 

n_tty_receive_buf 

tty3 

0xffffffff8 1386160 

nttyreceivebuf 

tty4 

0xffffffff8 1386160 

nttyreceivebuf 

tty5 

0xffffffff8 1386160 

nttyreceivebuf 

tty6 

0xffffffff8 1386160 

nttyreceivebuf 

tty7 

OxffffffffS  13  86 160 

n_tty_receive_buf 

Whereas  the  former  plugin  scans  drivers  for  tty  hooking,  the  latter  plugin  scans  for  hooked  kernel 
callbacks  [10,  12]. 
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3.8.6  Plugin  linux  check  evt  arm 

This  plugin  searches  for  syscall  hooking  as  they  relate  to  the  system’s  Exception  Vector  Table 
(EVT),  which  is  closely  related  to  the  IDTs  (see  Section  3.8.4). 

The  plugin  was  run  using  the  following  command: 

$  volatility  --profile=Linuxubuntu_1104_profilex64  -f 
ubuntu_1104_IVYL.mem  linux_check_idt 

This  resulted  in  no  useful  output,  indicating  that  the  plugin  found  no  indication  of  EVT  syscalls 
hooking. 

3.8.7  Summary 

Although  it  was  desirable  to  run  plugin  linux _process_hollow,  it  required  the  P1D  of  one  or  more 
processes  to  test  against  (or  an  ELF  base  address),  and  since  there  were  no  suspicious  processes  to 
test,  this  plugin  was  not  used.  P1D  2800,  identified  in  Section  3.3.5,  is  entirely  indicative  of  a 
leftover  remnant  in  memory. 

The  plugins  used  in  this  step  found  no  indication  of  keylogger  activity,  nor  did  they  find  any 
evidence  of  system  hooks  via  EVT  or  IDT. 

Finally,  no  indication  of  rootkit  activity  could  be  found.  Flowever,  to  be  fair,  no  augmented  root 
shell  was  opened  with  extended  privileges  in  the  VM  (see  Section  1.7)  nor  is  it  certain  if  this 
rootkit  has  a  keylogging  capability. 
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4  Conclusion 


IVYL,  the  third  rootkit  analysed  in  this  suite  of  reports  (or  tutorials),  while  simple  with  respect  to 
its  capabilities  as  compared  to  KBeast,  was  more  difficult  to  identify.  This  specific  report  looked 
at  and  used  many  of  the  various  Volatility  plugins,  far  more  than  in  the  first  two  reports.  In  the 
end,  the  plugin  that  definitively  identified  the  rootkit  was  linux  hidden  modules  but  when  the 
LKM  was  dumped  using  linuxmoddump,  the  dumped  LKM  was  several  magnitudes  larger  than 
the  actual  rootkit.  Thus,  because  of  this,  additional  analyses  were  carried  out  in  the  hopes  of  better 
understanding  the  infection. 

As  mentioned  in  several  locations  throughout  the  report,  even  though  the  VM  shared  folder  and 
its  files/directories  were  visible  (as  they  pertained  to  the  rootkit),  they  were  never  dumpable  or 
recoverable.  Moreover,  in  a  real-world  situation,  it  would  be  very  unlikely  that  an 
investigator/incident  handler  would  see  a  shared  folder  with  all  this  evidence  readily  available. 

This  report  has  shown  investigators/incident  handlers  what  to  look  for  when  the  majority  of 
useful  (and  non-reverse  engineering)  Volatility  plugins  have  been  exhausted  and  turned  up 
empty — that  is  to  say  they  show  no  specific  evidence  of  malware  infection. 

Again,  as  with  the  two  previous  Linux  memory  analysis  reports,  this  rootkit  was  not  identified  as 
infected,  malicious  or  suspicious  by  VirusTotal  which  that  day  used  57  different  scanners  to  scan 
the  uploaded  rootkit  sample.  This  is  somewhat  shocking  considering  that  the  rootkit  is  nearly  two 
years  old  and  its  source  code  is  available  to  anyone  for  modification  or  direct  use. 

Finally,  this  case  study  will  have  hopefully  demonstrated  to  investigators/incident  handlers  how 
to  systematically  proceed  with  investigating  a  suspected  Linux-based  memory  image  and 
determine  if  it  has  been  infected  or  set  up  for  use  by  a  userland  rootkit. 
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Annex  A  Volatility  2.4  Linux-based  plugins 


Table  A.1  is  a  complete  list  of  the  default  Linux-based  plugins  provided  by  Volatility’s  2.4  stable 
release. 


Table  A.1:  List  of  Volatility  2. 4  plugins. 


Plugin 

Capability  (as  per  Volatility  --info  output) 

linux  apihooks 

Checks  for  userland  apihooks 

linux  arp 

Print  the  ARP  table 

linux  banner 

Prints  the  Linux  banner  information 

linux  bash 

Recover  bash  history  from  bash  process  memory 

linux  bash  env 

Recover  bash's  environment  variables 

linux  bash  hash 

Recover  bash  hash  table  from  bash  process  memory 

linux  check  afmfo 

Verifies  the  operation  function  pointers  of  network  protocols 

linux  check  creds 

Checks  if  any  processes  are  sharing  credential  structures 

linux  check  evt  arm 

Checks  the  Exception  Vector  Table  to  look  for  syscall  table 
hooking 

linux  check  fop 

Check  file  operation  structures  for  rootkit  modifications 

linux  check  idt 

Checks  if  the  IDT  has  been  altered 

linux  check  inline  kernel 

Check  for  inline  kernel  hooks 

linuxcheckmodules 

Compares  module  list  to  sysfs  info,  if  available 

linux  check  syscall 

Checks  if  the  system  call  table  has  been  altered 

linux  check  syscall  arm 

Checks  if  the  system  call  table  has  been  altered 

linux  check  tty 

Checks  tty  devices  for  hooks 

linuxcpuinfo 

Prints  info  about  each  active  processor 

linux  dentry  cache 

Gather  files  from  the  dentry  cache 

linuxdmesg 

Gather  dmesg  buffer 

linuxdumpmap 

Writes  selected  memory  mappings  to  disk 

linux  elfs 

Find  ELF  binaries  in  process  mappings 

linux  enumerate  files 

Lists  files  referenced  by  the  filesystem  cache 

linux  find  file 

Lists  and  recovers  files  from  memory 

linuxhiddenmodules 

Carves  memory  to  find  hidden  kernel  modules 
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Plugin 

Capability  (as  per  Volatility  --info  output) 

linux  ifconfig 

Gathers  active  interfaces 

linux  info  regs 

It's  like  'info  registers'  in  GDB.  It  prints  out  all  the 

linux  iomem 

Provides  output  similar  to  /proc/iomem 

linux  kernel  opened  files 

Lists  files  that  are  opened  from  within  the  kernel 

linux  keyboard  notifiers 

Parses  the  keyboard  notifier  call  chain 

linuxldrmodules 

Compares  the  output  of  proc  maps  with  the  list  of  libraries  from 
libdl 

linux  library  list 

Lists  libraries  loaded  into  a  process 

linux  librarydump 

Dumps  shared  libraries  in  process  memory  to  disk 

linux  list  raw 

List  applications  with  promiscuous  sockets 

linux  lsmod 

Gather  loaded  kernel  modules 

linux  lsof 

Lists  open  files 

linux  malfind 

Looks  for  suspicious  process  mappings 

linux  memmap 

Dumps  the  memory  map  for  linux  tasks 

linuxmoddump 

Extract  loaded  kernel  modules 

linux  mount 

Gather  mounted  fs/devices 

linux  mount  cache 

Gather  mounted  fs/devices  from  kmem  cache 

linux  netfilter 

Lists  Netfilter  hooks 

linux  netstat 

Lists  open  sockets 

linux_pidhashtable 

Enumerates  processes  through  the  P1D  hash  table 

linux_pkt_queues 

Writes  per-process  packet  queues  out  to  disk 

linux_plthook 

Scan  ELF  binaries'  PLT  for  hooks  to  non-NEEDED  images 

linux_proc  maps 

Gathers  process  maps  for  linux 

linux_proc  maps  rb 

Gathers  process  maps  for  linux  through  the  mappings  red-black 
tree 

linux_procdump 

Dumps  a  process's  executable  image  to  disk 

linux_process_hollow 

Checks  for  signs  of  process  hollowing 

linux_psaux 

Gathers  processes  along  with  full  command  line  and  start  time 

linux_psenv 

Gathers  processes  along  with  their  environment 

linux_pslist 

Gather  active  tasks  by  walking  the  task  struct->task  list 

linux_pslist  cache 

Gather  tasks  from  the  kmem  cache 
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Plugin 

Capability  (as  per  Volatility  --info  output) 

linux_pstree 

Shows  the  parent/child  relationship  between  processes 

linux_psxview 

Find  hidden  processes  with  various  process  listings 

linux  recover  filesystem 

Recovers  the  entire  cached  file  system  from  memory 

linux  route  cache 

Recovers  the  routing  cache  from  memory 

linux  sk  buff  cache 

Recovers  packets  from  the  sk  buff  kmem  cache 

linux  slabinfo 

Mimics  /proc/slabinfo  on  a  running  machine 

linux  strings 

Match  physical  offsets  to  virtual  addresses  (may  take  a  while, 

VERY  verbose) 

linux  threads 

Prints  threads  of  processes 

linux  tmpfs 

Recovers  tmpfs  filesystems  from  memory 

linux_truecrypt_passphrase 

Recovers  cached  Truecrypt  passphrases 

linux  vma  cache 

Gather  VMAs  from  the  vm  area  struct  cache 

linux  volshell 

Shell  in  the  memory  image 

linux  yarascan 

A  shell  in  the  Linux  memory  image 
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Annex  B  Plugin  output  and  listings 


This  annex  provides  the  various  outputs  and  listings  for  the  different  plugins  used  throughout  this 
report  that  are  too  lengthy  to  fit  within  the  main  text. 


B.1  Output  for  plugin  linuxdmesg 


The  following  output  was  generated  by  the  Volatility  linux  dmesg  plugin  (see  Section  3.2.3): 


[2314885531810281020.2314885531]  ]  initializing  cgroup  subsys  cpuset 
<6>[  0.000000]  Initializing  cgroup  subsys  cpu 

<5>[  0.000000]  Linux  version  2.6.38-8-generic  (buildd@allspice)  (gcc 

version  4.5.2  (ubuntu/Li naro  4 . 5 . 2-8ubuntu3)  )  #42-ubuntu  SMP  Mon  Apr  11 
03:31:24  UTC  2011  (ubuntu  2.6.38-8.42-generic  2.6.38.2) 

<6>[  0.000000]  Command  line:  BOOT_lMAGE=/vml i nuz-2 . 6. 38-8-generi c 

root=UUlD=45fdcblc-c3c7-4c98-9ac3-7f8acf84ac26  ro  quiet  splash 
vt . handoff=7 

<6>[  0.000000]  BIOS-provided  physical  RAM  map: 

<6>[  0.000000]  BIOS-e820 :  0000000000000000  -  000000000009fc00 

(usabl e) 

<6>[  0.000000]  BIOS-e820 :  000000000009fc00  -  OOOOOOOOOOOaOOOO 

(reserved) 

<6>[  0.000000]  BIOS-e820 :  OOOOOOOOOOOfOOOO  -  0000000000100000 

(reserved) 

<6>[  0.000000]  BIOS-e820 :  0000000000100000  -  OOOOOOOOdfffOOOO 

(usabl e) 

<6>[  0.000000]  BIOS-e820:  OOOOOOOOdfffOOOO  -  OOOOOOOOeOOOOOOO  (ACPI 

data) 

<6>[  0.000000]  BlOS-e820 :  OOOOOOOOfffcOOOO  -  0000000100000000 

(reserved) 

<6>[  0.000000]  BIOS-e820 :  0000000100000000  -  0000000120000000 

(usabl e) 

<6>[  0.000000]  NX  (Execute  Disable)  protection:  active 

<6>[  0.000000]  DMI  2.5  present. 

<7>[  0.000000]  DMI:  innotek  GmbH  vi rtual Box/vi rtual Box,  BIOS 

virtual  Box  12/01/2006 

<7> [  0.000000]  e820  update  range:  0000000000000000  -  0000000000010000 

(usable)  ==>  (reserved) 

<7>[  0.000000]  e820  remove  range:  OOOOOOOOOOOaOOOO  -  0000000000100000 

(usabl e) 

<6>[  0.000000]  No  AGP  bridge  found 

<6>[  0.000000]  last_pfn  =  0x120000  max_arch_pfn  =  0x400000000 

<7>[  0.000000]  MTRR  default  type:  uncachable 

<7>[  0.000000]  MTRR  variable  ranges  disabled: 

<6>[  0.000000]  x86  PAT  enabled:  cpu  0,  old  0x7040600070406,  new 

0x7010600070106 

<6>[  0.000000]  CPU  MTRRs  all  blank  -  virtualized  system. 

<6>[  0.000000]  last_pfn  =  OxdfffO  max_arch_pfn  =  0x400000000 

<6>[  0.000000]  found  SMP  MP-table  at  [ffff88000009fff0]  9fff0 

<7>[  0.000000]  initial  memory  mapped  :  0  -  20000000 

<6>[  0.000000]  i ni t_memory_mappi ng :  OOOOOOOOOOOOOOOO-OOOOOOOOdfffOOOO 

<7> [  0.000000]  0000000000  -  OOdfeOOOOO  page  2m 

<7> [  0.000000]  OOdfeOOOOO  -  OOdfffOOOO  page  4k 

<7>[  0.000000]  kernel  direct  mapping  tables  up  to  dfffOOOO  @  lfffaOOO- 

20000000 

<6>[  0.000000]  i ni t_memory_mappi ng :  0000000100000000-0000000120000000 

<7> [  0.000000]  0100000000  -  0120000000  page  2m 

<7>[  0.000000]  kernel  direct  mapping  tables  up  to  120000000  @ 

dffeaOOO- dfffOOOO 

<6>[  0.000000]  RAMDISK:  366da000  -  37365000 

<4> [  0.000000]  ACPI:  RSDP  OOOOOOOOOOOeOOOO  00024  (v02  VBOX  ) 
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<4> [  0.000000]  ACPI:  XSDT  00000000dfff0030  0003c  (vOl  VBOX  VBOXXSDT 

00000001  ASL  00000061) 

<4> [  0.000000]  ACPI:  FACP  OOOOOOOOdfffOOfO  000F4  (v04  VBOX  VBOXFACP 

00000001  ASL  00000061) 

<4> [  0.000000]  ACPI:  DSDT  00000000dfff0470  01B96  (vOl  VBOX  VBOXBIOS 

00000002  INTL  20100528) 

<4> [  0.000000]  ACPI:  FACS  00000000dfff0200  00040 

<4> [  0.000000]  ACPI:  APIC  00000000dfff0240  0005C  (v02  VBOX  VBOXAPIC 

00000001  ASL  00000061) 

<4> [  0.000000]  ACPI:  SSDT  00000000dfff02a0  001CC  (vOl  VBOX  VBOXCPUT 

00000002  INTL  20100528) 

<7>[  0.000000]  ACPI:  Loca]  APIC  address  OxfeeOOOOO 

<6>[  0.000000]  No  NUMA  configuration  found 

<6> [  0.000000]  Faking  a  node  at  0000000000000000-0000000120000000 

<6>[  0.000000]  Initmem  setup  node  0  0000000000000000-0000000120000000 

<6> [  0.000000]  NODE_DATA  [OOOOOOOllfff bOOO  -  OOOOOOOllfffffff ] 

<7> [  0.000000]  [ffffea0000000000-ffffea0003ffffff]  PMD  -> 

[ffff88011be00000-ffff88011f7fffff]  on  node  0 
<4>[  0.000000]  Zone  PFN  ranges: 

<4>  0.000000]  DMA  0x00000010  ->  0x00001000 

<4>  0.000000]  DMA32  0x00001000  ->  0x00100000 

<4>[  0.000000]  Norma]  0x00100000  ->  0x00120000 

<4>[  0.000000]  Movable  zone  start  PFN  for  each  node 

<4>[  0.000000]  early_node_map[3]  active  PFN  ranges 

<4> [  0.000000]  0:  0x00000010  ->  0x0000009f 

<4>  0.000000]  0:  0x00000100  ->  OxOOOdfffO 

<4>  0.000000]  0:  0x00100000  ->  0x00120000 

<7>[  0.000000]  On  node  0  total  pages:  1048447 

<7>[  0.000000]  DMA  zone:  56  pages  used  for  memmap 

<7>[  0.000000]  DMA  zone:  6  pages  reserved 

<7>[  0.000000]  DMA  zone:  3921  pages,  LIFO  batch:0 

<7>[  0.000000]  DMA32  zone:  14280  pages  used  for  memmap 

<7>[  0.000000]  DMA32  zone:  899112  pages,  LIFO  batch:31 

<7>[  0.000000]  Normal  zone:  1792  pages  used  for  memmap 

<7>[  0.000000]  Normal  zone:  129280  pages,  LIFO  batch:31 

<6>  0.000000]  ACPI:  PM-Timer  IO  Port:  0x4008 

<7>[  0.000000]  ACPI:  Local  APIC  address  OxfeeOOOOO 

<6>[  0.000000]  ACPI:  LAPIC  (acpi_i d [0x00]  1 api c_id [0x00]  enabled) 

<6>[  0.000000]  ACPI:  LAPIC  (acpi_i d [0x01]  1 api c_id [0x01]  enabled) 

<6>[  0.000000]  ACPI:  IOAPIC  (id[0x02]  address [OxfeeOOOOO]  gsi_base[0]) 

<6>[  0.000000]  IOAPIC[0] :  apic_id  2,  version  17,  address  OxfeeOOOOO, 

GSI  0-23 

<6>[  0.000000]  ACPI:  INT_SRC_OVR  (bus  0  bus_i rq  0  global_irq  2  dfl 

dfl ) 

<6>[  0.000000]  ACPI:  INT_SRC_0VR  (bus  0  bus_i rq  9  global_irq  9  high 

1 evel ) 

<7>[  0.000000]  ACPI:  IRQO  used  by  override. 

<7>[  0.000000]  ACPI:  IRQ2  used  by  override. 

<7>[  0.000000]  ACPI:  IRQ9  used  by  override. 

<6>[  0.000000]  Using  ACPI  (MADT)  for  SMP  configuration  information 

<6>[  0.000000]  SMP:  Allowing  2  CPUs,  0  hotplug  CPUs 

<7>[  0.000000]  nr_irqs_gsi:  40 

<6>[  0.000000]  PM:  Registered  nosave  memory:  000000000009f000  - 

OOOOOOOOOOOaOOOO 

<6>[  0.000000]  PM:  Registered  nosave  memory:  OOOOOOOOOOOaOOOO  - 

OOOOOOOOOOOfOOOO 

<6>[  0.000000]  PM:  Registered  nosave  memory:  OOOOOOOOOOOfOOOO  - 

0000000000100000 

<6>[  0.000000]  PM:  Registered  nosave  memory:  OOOOOOOOdfffOOOO  - 

OOOOOOOOeOOOOOOO 

<6>[  0.000000]  PM:  Registered  nosave  memory:  OOOOOOOOeOOOOOOO  - 

OOOOOOOOfffcOOOO 

<6>[  0.000000]  PM:  Registered  nosave  memory:  OOOOOOOOfffcOOOO  - 

0000000100000000 

<6>[  0.000000]  Allocating  PCI  resources  starting  at  eOOOOOOO  (gap: 

eOOOOOOO : If f cOOOO) 

<6>[  0.000000]  Booting  paravi rtual i zed  kernel  on  bare  hardware 
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<6>[  0.000000]  setup_percpu :  NR_CPUS:256  nr_cpumask_bits :  256 

nr_cpu_ids : 2  nr_node_i ds : 1 

<6>[  0.000000]  PERCPU:  Embedded  28  pages/cpu  @ffff8800dfc00000  s84416 

r8192  d22080  U1048576 

<7>[  0.000000]  pcpu-a]loc:  s84416  r8192  d22080  U1048576 

a]]oc=l*2097152 

<7>[  0.000000]  pcpu-al]oc:  [0]  0  1 

<4>[  0.000000]  Built  1  zonelists  in  Node  order,  mobility  grouping  on. 

Tota]  pages:  1032313 

<4>[  0.000000]  Policy  zone:  Normal 

<5>[  0.000000]  Kernel  command  line:  BOOT_lMAGE=/vml i nuz-2 . 6 . 38-8- 

generic  root=UUlD=45fdcblc-c3c7-4c98-9ac3-7f8acf84ac26  ro  quiet  splash 
vt . handoff=7 

<6>[  0.000000]  PID  hash  table  entries:  4096  (order:  3,  32768  bytes) 

<6>[  0.000000]  Checking  aperture... 

<6>[  0.000000]  No  AGP  bridge  found 

<7>[  0.000000]  Calgary:  detecting  Calgary  via  BIOS  EBDA  area 

<7>[  0.000000]  Calgary:  Unable  to  locate  Rio  Grande  table  in  EBDA  - 

bai ling! 

<6>[  0.000000]  Memory:  4041840k/4718592k  available  (5940k  kernel  code, 

524804k  absent,  151948k  reserved,  5017k  data,  956k  init) 

<6>[  0.000000]  SLUB:  Genslabs=15,  HWalign=64,  Order=0-3,  MinObjects=0, 

CPUs=2,  Nodes=l 

<6>[  0.000000]  Hierarchical  RCU  implementation. 

<6>[  0.000000]  RCU  dyntick-idle  grace-period  acceleration  is 

enabl ed . 

<6>[  0.000000]  RCU-based  detection  of  stalled  CPUs  is  disabled. 

<6>[  0.000000]  NR_IRQS : 16640  nr_irqs:512  16 

<6>[  0.000000]  vt  handoff:  transparent  VT  on  vt#7 

<4>[  0.000000]  Console:  colour  dummy  device  80x25 

<6>[  0.000000]  console  [ttyO]  enabled 

<6>[  0.000000]  allocated  41943040  bytes  of  page_cgroup 

<6>[  0.000000]  please  try  ' cgroup_di sabl e=memory '  option  if  you  don't 

want  memory  cgroups 

<4>[  0.000000]  Fast  TSC  calibration  failed 

<4>[  0.000000]  TSC:  Unable  to  calibrate  against  PIT 

<6>[  0.000000]  TSC:  using  PMTIMER  reference  calibration 

<4>[  0.000000]  Detected  3481.792  MHz  processor. 

<6>[  0.030004]  Calibrating  delay  loop  (skipped),  value  calculated 

using  timer  frequency..  6963.58  BogoMlPS  (1 pj=34817920) 

<6>[  0.030008]  pid_max:  default:  32768  minimum:  301 

<6>[  0.030027]  Security  Framework  initialized 

<6>[  0.030042]  AppArmor:  AppArmor  initialized 

<6>[  0.030044]  Yama:  becoming  mindful. 

<6>[  0.034296]  Dentry  cache  hash  table  entries:  524288  (order:  10, 

4194304  bytes) 

<6>[  0.035384]  Inode-cache  hash  table  entries:  262144  (order:  9, 

2097152  bytes) 

<4>[  0.035578]  Mount-cache  hash  table  entries:  256 

<6>[  0.040088]  initializing  cgroup  subsys  ns 

<4>[  0.040091]  ns_cgroup  deprecated:  consider  using  the 

'clone_children'  flag  without  the  ns_cgroup. 

<6>[  0.040094]  initializing  cgroup  subsys  cpuacct 

<6>[  0.040097]  initializing  cgroup  subsys  memory 

<6>[  0.040102]  Initializing  cgroup  subsys  devices 

<6>[  0.040105]  Initializing  cgroup  subsys  freezer 

<6>[  0.040107]  Initializing  cgroup  subsys  net_cls 

<6>[  0.040109]  initializing  cgroup  subsys  blkio 

<6>[  0.040183]  CPU:  Physical  Processor  ID:  0 

<6>[  0.040186]  CPU:  Processor  Core  ID:  0 

<6>[  0.040189]  mce:  CPU  supports  0  MCE  banks 

<6>[  0.046882]  ACPI:  Core  revision  20110112 

<6>[  0.047519]  ftrace:  allocating  24314  entries  in  96  pages 

<6>[  0.050121]  Setting  APIC  routing  to  flat 

<6>[  0.060277]  ..TIMER:  vector=0x30  apicl=0  pinl=2  apic2=-l  pin2=-l 

<6>  0.187051]  CPU0 :  Intel (r)  Core(TM)  i7  CPU  X  000  @  3.33GHz 

stepping  02 
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<4>[  0.190000]  APIC  calibration  not  consistent  with  PM-Timer:  96ms 

instead  of  100ms 

<6>[  0.190000]  APIC  delta  adjusted  to  PM-Timer:  6250051  (602B01B) 

<6>[  0.190000]  Performance  Events:  unsupported  p6  CPU  model  44  no  PMU 

driver,  software  events  only. 

<6>[  0.190000]  Booting  Node  0,  Processors  #1  Ok. 

<6>[  0.040000]  mce:  CPU  supports  0  MCE  banks 

<4>[  0.350000]  TSC  synchronization  [CPU#0  ->  CPU#1] : 

<4>[  0.350000]  Measured  123400  cycles  TSC  warp  between  CPUs,  turning 

off  TSC  clock. 

<6>[  0.350000]  Marking  TSC  unstable  due  to  check_tsc_sync_source 

fai 1 ed 

<6>[  0.350041]  Brought  up  2  CPUs 

<6>[  0.350043]  Total  of  2  processors  activated  (13888.93  BogoMlPS) . 

<6>[  0.350333]  devtmpfs:  initialized 

<6>[  0.350505]  pri nt_constrai nts :  dummy: 

<4>  0.350529]  Time:  16:47:17  Date:  05/16/14 

<6>[  0.350547]  NET:  Registered  protocol  family  16 

<6>[  0.350697]  ACPI:  bus  type  pci  registered 

<6>[  0.350755]  PCI:  Using  configuration  type  1  for  base  access 

<6>[  0.350676]  Trying  to  unpack  rootfs  image  as  initramfs... 

<4>[  0.360214]  bio:  create  slab  <bio-0>  at  0 

<7>  0.360596]  ACPI:  EC:  Look  up  EC  in  DSDT 

<4>[  0.360895]  ACPI:  Executed  1  blocks  of  module-level  executable  AML 

code 

<6>[  0.360895]  ACPI:  interpreter  enabled 

<6>[  0.360895]  ACPI:  (supports  SO  S5) 

<6>[  0.360895]  ACPI:  Using  IOAPIC  for  interrupt  routing 

<6>[  0.362170]  ACPI:  No  dock  devices  found. 

<6>[  0.362174]  HEST:  Table  not  found. 

<6>[  0.362178]  PCI:  ignoring  host  bridge  windows  from  ACPI;  if 

necessary,  use  "pci=use_crs"  and  report  a  bug 

<6>[  0.362229]  ACPI:  PCI  Root  Bridge  [PClO]  (domain  0000  [bus  00-ff]) 

<7>[  0.362342]  pci_root  pnp0a03:00:  host  bridge  window  [io  0x0000- 

0x0cf7]  (ignored) 

<7>[  0.362346]  pci_root  pnp0a03:00:  host  bridge  window  [io  OxOdOO- 

Oxffff]  (ignored) 

<7>[  0.362350]  pci_root  pnp0a03:00:  host  bridge  window  [mem 

OxOOOaOOOO-OxOOObffff]  (i gnored) 

<7>[  0.362354]  pci_root  pnp0a03:00:  host  bridge  window  [mem 

OxeOOOOOOO-Oxffdfffff]  (i gnored) 

<7>  0.362394]  pci  0000:00:00.0:  [8086:1237]  type  0  class  0x000600 

<7>  0.366407]  pci  0000:00:01.0:  [8086:7000]  type  0  class  0x000601 

<7>  0.366746]  pci  0000:00:01.1:  [8086:7111]  type  0  class  0x000101 

<7>[  0.367008]  pci  0000:00:01.1:  reg  20:  [io  OxdOOO-OxdOOf] 

<7>[  0.367189]  pci  0000:00:02.0:  [80ee:beef]  type  0  class  0x000300 

<7>[  0.370279]  pci  0000:00:02.0:  reg  10:  [mem  0xe0000000-0xe7ffffff 

pref] 

<7>[  0.414473]  pci  0000:00:03.0:  [8086:100e]  type  0  class  0x000200 

<7>  0.416203]  pci  0000:00:03.0:  reg  10:  [mem  OxfOOOOOOO-OxfOOlffff] 

<7>[  0.423979]  pci  0000:00:03.0:  reg  18:  [io  0xd010-0xd017] 

<7>[  0.432796]  pci  0000:00:04.0:  [80ee:cafe]  type  0  class  0x000880 

<7>[  0.434649]  pci  0000:00:04.0:  reg  10:  [io  0xd020-0xd03f] 

<7>[  0.436379]  pci  0000:00:04.0:  reg  14:  [mem  0xf0400000-0xf07fffff] 

<7>[  0.441137]  pci  0000:00:04.0:  reg  18:  [mem  0xf0800000-0xf0803fff 

pref] 

<7> [  0.452879]  pci  0000:00:05.0:  [8086:2415]  type  0  class  0x000401 

<7> [  0.453031]  pci  0000:00:05.0:  reg  10:  [io  OxdlOO-Oxdlff] 

<7>[  0.453141]  pci  0000:00:05.0:  reg  14:  [io  0xd200-0xd23f] 

<7>[  0.453809]  pci  0000:00:06.0:  [106b:003f]  type  0  class  0x000c03 

[4192904279556632624.4192904279]  0ee:cafe]  type  0  class  0x000880 
<7>[  0.434649]  pci  0000:00:04.0:  reg  10:  [io  0xd020-0xd03f] 

<7>[  0.436379]  pci  0000:00:04.0:  reg  14:  [mem  0xf0400000-0xf07fffff] 

<7>[  0.441137]  pci  0000:00:04.0:  reg  18:  [mem  0xf0800000-0xf0803fff 

pref] 

<7> [  0.452879]  pci  0000:00:05.0:  [8086:2415]  type  0  class  0x000401 

<7> [  0.453031]  pci  0000:00:05.0:  reg  10:  [io  OxdlOO-Oxdlff] 

<7>[  0.453141]  pci  0000:00:05.0:  reg  14:  [io  0xd200-0xd23f] 
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<7>[  0.45B809]  pci  0000:00:06.0:  [106b : 003f]  type  0  class  OxOOOcOB 

<7>[  0.459417]  pci  0000:00:06.0:  reg  10:  [mem  0xf0804000-0xf0804fff] 

<7>  0.470162]  pci  0000:00:07.0:  [8086:7113]  type  0  class  0x000680 

<7>[  0.470546]  pci  0000 : 00 : Ob . 0 :  [8086:265c]  type  0  class  0x000c03 

<7>[  0.472353]  pci  0000 : 00 : Ob . 0 :  reg  10:  [mem  0xf0805000-0xf0805fff] 

<7>[  0.487023]  pci  0000:00:0d.0:  [8086:2829]  type  0  class  0x000106 

<7>[  0.488854]  pci  0000 : 00 : Od . 0 :  reg  10:  [io  0xd240-0xd247] 

<7>[  0.496179]  pci  0000 : 00 : Od . 0 :  reg  18:  [io  0xd250-0xd257] 

<7>[  0.500315]  pci  0000 : 00 : Od . 0 :  reg  20:  [io  0xd260-0xd26f] 

<7>[  0.502499]  pci  0000:00:0d.0:  reg  24:  [mem  0xf0806000-0xf0807fff] 

<7>  0.504754]  ACPI:  PCI  Interrupt  Routing  Table  [\_SB_. PClO ._PRT] 

<6>[  0.506800]  ACPI:  PCI  Interrupt  Link  [LNKA]  (IRQs  5  9  10  *11) 

<6>[  0.506943]  ACPI:  PCI  Interrupt  Link  [LNKB]  (IRQs  5  9  10  *11) 

<6>[  0.506992]  ACPI:  PCI  Interrupt  Link  [LNKC]  (IRQs  5  9  *10  11) 

<6>[  0.507040]  ACPI:  PCI  Interrupt  Link  [LNKD]  (IRQs  5  *9  10  11) 

<6>[  0.507123]  vgaarb:  device  added: 

PCI : 0000 : 00 : 02 . 0 , decodes=i o+mem , owns=i o+mem , 1 ocks=none 

<6>[  0.507127]  vgaarb:  loaded 

<5>[  0.507225]  SCSI  subsystem  initialized 

<7>[  0.510002]  libata  version  3.00  loaded. 

<6>[  0.510002]  usbcore:  registered  new  interface  driver  usbfs 

<6>[  0.510002]  usbcore:  registered  new  interface  driver  hub 

<6>[  0.510002]  usbcore:  registered  new  device  driver  usb 

<6>[  0.510002]  wmi :  Mapper  loaded 

<6>[  0.510002]  PCI:  Using  ACPI  for  IRQ  routing 

<7>[  0.510002]  PCI:  pci_cache_l i ne_si ze  set  to  64  bytes 

<7>[  0.510002]  reserve  RAM  buffer:  000000000009fc00  -  000000000009ffff 

<7>[  0.510002]  reserve  RAM  buffer:  00000000dfff0000  -  00000000dfffffff 

<6>[  0.510002]  NetLabel :  Initializing 

<6>[  0.510002]  NetLabel:  domain  hash  size  =  128 

<6>[  0.510002]  NetLabel:  protocols  =  UNLABELED  ClPSOv4 

<6>[  0.510002]  NetLabel:  unlabeled  traffic  allowed  by  default 

<6>[  0.516226]  AppArmor:  AppArmor  Filesystem  Enabled 

<6>[  0.516247]  pnp:  PnP  ACPI  init 

<6>[  0.516257]  ACPI:  bus  type  pnp  registered 

<7>[  0.516318]  pnp  00:00:  [bus  00-ff] 

<7>[  0.516322]  pnp  00:00:  [io  0x0cf8-0x0cff] 

<7>[  0.516324]  pnp  00:00:  [io  0x0000-0x0cf7  window] 

<7>[  0.516326]  pnp  00:00:  [io  OxOdOO-Oxffff  window] 

<7>[  0.516329]  pnp  00:00:  [mem  OxOOOaOOOO-OxOOObffff  window] 

<7>[  0.516331]  pnp  00:00:  [mem  OxeOOOOOOO-Oxffdfffff  window] 

<7>[  0.516352]  pnp  00:00:  Plug  and  Play  ACPI  device,  IDs  PNP0a03 

(active) 

<7>[  0.516368]  pnp  00:01:  [io  0x0060] 

<7>[  0.516370]  pnp  00:01:  [io  0x0064] 

<7>[  0.516396]  pnp  00:01:  [i rq  1] 

<7>[  0.516413]  pnp  00:01:  Plug  and  Play  ACPI  device,  IDs  PNP0303 

(active) 

<7> [  0.516422]  pnp  00:02:  [io  OxOOOO-OxOOOf] 

<7>[  0.516425]  pnp  00:02:  [io  0x0080-0x008f] 

<7>[  0.516427]  pnp  00:02:  [io  OxOOcO-OxOOdf] 

<7>[  0.516430]  pnp  00:02:  [dma  4] 

<7>[  0.516442]  pnp  00:02:  Plug  and  Play  ACPI  device,  IDs  PNP0200 

(active) 

<7> [  0.516484]  pnp  00:03:  [i rq  12] 

<7>[  0.516501]  pnp  00:03:  Plug  and  Play  ACPI  device,  IDs  PNP0f03 

(active) 

<7>[  0.516511]  pnp  00:04:  [io  0x0378-0x037f] 

<7> [  0.516514]  pnp  00:04:  [io  0x0778-0x077f] 

<7> [  0.516528]  pnp  00:04:  [i rq  7] 

<7>[  0.516542]  pnp  00:04:  Plug  and  Play  ACPI  device,  IDs  PNP0400 

(active) 

<6>[  0.516861]  pnp:  PnP  ACPI:  found  5  devices 

<6>[  0.516864]  ACPI:  ACPI  bus  type  pnp  unregistered 

<6>[  0.522509]  Switching  to  clocksource  acpi_pm 

<7>[  0.522651]  pci_bus  0000:00:  resource  0  [io  OxOOOO-Oxffff] 

<7>[  0.522654]  pci_bus  0000:00:  resource  1  [mem  0x00000000- 

Oxfffffffff] 
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<6>[  0.522676]  NET:  Registered  protocol  family  2 

<6>[  0.522755]  IP  route  cache  hash  table  entries:  131072  (order:  8, 

1048576  bytes) 

<6>[  0.525912]  TCP  established  hash  table  entries:  524288  (order:  11, 

8388608  bytes) 

<6>[  0.525678]  TCP  bind  hash  table  entries:  65536  (order:  8,  1048576 

bytes) 

<6>[  0.525678]  TCP:  Hash  tables  configured  (established  524288  bind 

65536) 

<6>[  0.525678]  TCP  reno  registered 

<6>[  0.525686]  UDP  hash  table  entries:  2048  (order:  4,  65536  bytes) 

<6>[  0.525701]  UDP-Lite  hash  table  entries:  2048  (order:  4,  65536 

bytes) 

<6>[  0.525753]  NET:  Registered  protocol  family  1 

<6>[  0.525762]  pci  0000:00:00.0:  Limiting  direct  PCI/PCI  transfers 

<6>[  0.525787]  pci  0000:00:01.0:  Activating  ISA  DMA  hang  workarounds 

<7>[  0.525807]  pci  0000:00:02.0:  Boot  video  device 

<7>[  0.525996]  PCI:  CLS  0  bytes,  default  64 

<6>[  0.525999]  PCI-DMA:  using  software  bounce  buffering  for  IO 

(SWIOTLB) 

<6>[  0.526002]  Placing  64MB  software  IO  TLB  between  ffff8800dbc00000  - 

ffff8800dfc00000 

<6>[  0.526004]  software  IO  TLB  at  phys  OxdbcOOOOO  -  OxdfcOOOOO 

<6>[  0.526106]  platform  rtc_cmos:  registered  platform  RTC  device  (no 

PNP  device  found) 

<6>[  0.526272]  audit:  initializing  netlink  socket  (disabled) 

<5>[  0.526279]  type=2000  audi t(1400258836 . 520 : 1) :  initialized 

<6>[  0.526085]  Switched  to  NOHz  mode  on  CPU  #0 

<6>[  0.531022]  Switched  to  NOHz  mode  on  CPU  #1 

<6>[  0.534722]  HugeTLB  registered  2  MB  page  size,  pre-al located  0 

pages 

<5>[  0.535757]  VFS:  Disk  quotas  dquot_6.5.2 

<4>[  0.535788]  Dquot-cache  hash  table  entries:  512  (order  0,  4096 

bytes) 

<6>[  0.536162]  fuse  init  (API  version  7.16) 

<6>[  0.536214]  msgmni  has  been  set  to  7894 

<6>[  0.536416]  Block  layer  SCSI  generic  (bsg)  driver  version  0.4 

loaded  (major  253) 

<6>[  0.536448]  io  scheduler  noop  registered 

<6>[  0.536451]  io  scheduler  deadline  registered 

<6>[  0.536475]  io  scheduler  cfq  registered  (default) 

<6>[  0.536524]  pci_hotplug:  PCI  Hot  Plug  PCI  Core  version:  0.5 

<6>[  0.536542]  pciehp:  PCI  Express  Hot  Plug  Controller  Driver  version: 

0.4 

<4>[  0.536611]  ACPI:  Deprecated  procfs  i/F  for  AC  is  loaded,  please 

retry  with  CONFlG_ACPl_PROCFS_POWER  cleared 

<6>[  0.536653]  ACPI:  AC  Adapter  [AC]  (on-line) 

<6>[  0.536691]  input:  Power  Button  as 

/devi ces/LNXSYSTM : 00/LNXPWRBN : 00/i nput/i nputO 
<6>[  0.536694]  ACPI:  Power  Button  [PWRF] 

<6>[  0.536735]  input:  Sleep  Button  as 

/devi ces/LNXSYSTM : 00/LNXSLPBN : 00/i nput/i nputl 
<6>[  0.536738]  ACPI:  Sleep  Button  [SLPF] 

<7>[  0.536863]  ACPI:  acpi_idle  registered  with  cpuidle 

<6>[  0.537412]  ERST:  Table  is  not  found! 

<6>[  0.537448]  Serial:  8250/16550  driver,  32  ports,  IRQ  sharing 

enabl ed 

<6>[  0.647026]  Freeing  initrd  memory:  12844k  freed 

<6>[  1.142889]  Linux  agpgart  interface  v0.103 

<6>[  1.143521]  brd:  module  loaded 

<6>[  1.143808]  loop:  module  loaded 

<4>[  1.143858]  i2c-core:  driver  [adp5520]  using  legacy  suspend  method 

<4>[  1.143860]  i2c-core:  driver  [adp5520]  using  legacy  resume  method 

<7>[  1.143909]  ata_piix  0000:00:01.1:  version  2.13 

<7>[  1.143961]  ata_piix  0000:00:01.1:  setting  latency  timer  to  64 

<6>[  1.144501]  scsiO  :  ata_piix 

<6>[  1.144792]  scsil  :  ata_piix 
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<6>[  1.144821]  atal:  PATA  max  udma/33  cmd  OxlfO  ctl  Ox3f6  bmdma  OxdOOO 

i  rq  14 

<6>[  1.144823]  ata2 :  PATA  max  udma/33  cmd  0x170  ctl  0x376  bmdma  0xd008 

i  rq  15 

<6>[  1.145054]  Fixed  MDIO  Bus:  probed 

<6>[  1.145075]  PPP  generic  driver  version  2.4.2 

<6>[  1.145097]  tun:  universal  TUN/TAP  device  driver,  1.6 

<6>[  1.145100]  tun:  (C)  1999-2004  Max  Krasnyansky  <maxk@qualcomm.com> 

<6>[  1.145159]  ehci_hcd:  USB  2.0  'Enhanced'  Host  Controller  (EHCl) 

Driver 

<6>[  1.145193]  ehci_hcd  0000 : 00 : Ob . 0 :  PCI  INT  A  ->  GSI  19  (level,  low) 

->  IRQ  19 

<7>[  1.145216]  ehci_hcd  0000 : 00 : Ob . 0 :  setting  latency  timer  to  64 

<6>[  1.145225]  ehci_hcd  0000 : 00 : Ob . 0 :  EHCl  Host  Controller 

<6>[  1.145250]  ehci_hcd  0000 : 00 : 0b . 0 :  new  USB  bus  registered,  assigned 

bus  number  1 

<6>[  1.150658]  ehci_hcd  0000 : 00 : 0b . 0 :  i rq  19,  io  mem  0xf0805000 

<6>[  1.170157]  ehci_hcd  0000 : 00 : 0b . 0 :  USB  2.0  started,  EHCl  1.00 

<6>[  1.170347]  hub  1-0:1. 0:  USB  hub  found 

<6>[  1.170356]  hub  1-0:1. 0:  8  ports  detected 

<6>[  1.170537]  ohci_hcd:  USB  1.1  'Open'  Host  Controller  (OHCl)  Driver 

<6>[  1.170608]  ohci_hcd  0000:00:06.0:  PCI  INT  A  ->  GSI  22  (level,  low) 

->  IRQ  22 

<7>[  1.170656]  ohci_hcd  0000:00:06.0:  setting  latency  timer  to  64 

<6>[  1.170676]  ohci_hcd  0000:00:06.0:  OHCl  Host  Controller 

<6>[  1.170734]  ohci_hcd  0000:00:06.0:  new  USB  bus  registered,  assigned 

bus  number  2 

<6>[  1.171026]  ohci_hcd  0000:00:06.0:  i rq  22,  io  mem  0xf0804000 

<6>[  1.230577]  hub  2-0:1. 0:  USB  hub  found 

<6>[  1.230598]  hub  2-0:1. 0:  8  ports  detected 

<6>[  1.230866]  uhci_hcd:  USB  universal  Host  Controller  interface 

driver 

<6>[  1.230986]  i 8042 :  PNP:  PS/2  Controller  [PNP0303 : PS2K, PNP0f03 : ps2m] 

at  0x60,0x64  i rq  1,12 

<6>[  1.235334]  serio:  i8042  KBD  port  at  0x60,0x64  i rq  1 

<6>[  1.235346]  serio:  i8042  AUX  port  at  0x60,0x64  i rq  12 

<6>[  1.235452]  mousedev:  PS/2  mouse  device  common  for  all  mice 

<6>[  1.235756]  input:  AT  Translated  Set  2  keyboard  as 

/devi ces/pl atform/i 8042/seri oO/i nput/i nput2 

<6>[  1.236242]  rtc_cmos  rtc_cmos:  rtc  core:  registered  rtc_cmos  as 

rtcO 

<6>[  1.236378]  rtcO:  alarms  up  to  one  day,  114  bytes  nvram 

<6>[  1.236742]  device-mapper:  uevent:  version  1.0.3 

<6>[  1.236850]  device-mapper:  ioctl :  4.19.1-ioctl  (2011-01-07) 

i ni ti al i sed :  dm-devel ©redhat . com 

<6>[  1.237860]  device-mapper:  multipath:  version  1.2.0  loaded 

<6>[  1.237867]  device-mapper:  multipath  round-robin:  version  1.0.0 

loaded 

<6>[  1.238944]  cpuidle:  using  governor  ladder 

<6>[  1.238951]  cpuidle:  using  governor  menu 

<6>[  1.239277]  TCP  cubic  registered 

<6>[  1.239451]  NET:  Registered  protocol  family  10 

<6>[  1.240193]  NET:  Registered  protocol  family  17 

<5>[  1.240220]  Registering  the  dns_resolver  key  type 

<7>[  1.240482]  PM:  Hibernation  image  not  present  or  could  not  be 

loaded . 

<4>[  1.240497]  registered  taskstats  version  1 

<4>[  1.240956]  Magic  number:  14:129:793 

<6>[  1.241229]  rtc_cmos  rtc_cmos:  setting  system  clock  to  2014-05-16 

16:47:18  UTC  (1400258838) 

<6>[  1.241249]  BIOS  EDD  facility  v0.16  2004-lun-25,  0  devices  found 

<6>[  1.241254]  EDD  information  not  available. 

<6>[  1.301811]  ata2 .00:  ATAPI:  VBOX  CD-ROM,  1.0,  max  udma/133 

<6>[  1.302774]  ata2.00:  configured  for  UDMA/33 

<5>  [  1.303958]  scsi  1:0:0:0:  CD-ROM  VBOX  CD-ROM 

1.0  PQ:  0  ANSI:  5 

<4>[  1.305392]  srO:  scsi3-mmc  drive:  32x/32x  xa/form2  tray 

<6>[  1.305399]  cdrom:  uniform  CD-ROM  driver  Revision:  3.20 
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<7> 

<5> 

<6> 

<6> 

<6> 

<6> 

<4> 

<6> 

7.3 


1.308170 
1.309660 
1.313167 
1.313303 
1.315123 
1.322403 
1.365166 
1.409547] 
21-k8-NAPl 


sr  1 : 0 : 0 : 0 :  Attached  scsi  CD-ROM  srO 

sr  1 : 0 : 0 : 0 :  Attached  scsi  generic  sgO  type  5 

Freeing  unused  kernel  memory:  956k  freed 

write  protecting  the  kernel  read-only  data:  10240k 

Freeing  unused  kernel  memory:  184k  freed 

Freeing  unused  kernel  memory:  1444k  freed 

<30>udev[67] :  starting  version  167 

elOOO:  Intel (R)  PRO/1000  Network  Driver  -  version 


<6>[  1.409550]  elOOO:  Copyright  (c)  1999-2006  Intel  Corporation. 

<6>[  1.409582]  elOOO  0000:00:03.0:  PCI  INT  A  ->  GSI  19  (level,  low)  -> 

IRQ  19 

<7>[  1.409598]  elOOO  0000:00:03.0:  setting  latency  timer  to  64 

<6>[  1.680131]  usb  2-1:  new  full  speed  USB  device  using  ohci_hcd  and 

address  2 

<6>[  1.841932]  elOOO  0000:00:03.0:  ethO:  (PCI : 33mhz : 32-bi t) 

08 : 00: 27 : cc : 54 : b5 

<6>[  1.841940]  elOOO  0000:00:03.0:  ethO:  Intel (R)  PRO/1000  Network 

Connecti on 

<7>[  1.842057]  ahci  0000 : 00 : Od . 0 :  version  3.0 

<6>[  1.842126]  ahci  0000:00:0d.0:  PCI  INT  A  ->  GSI  21  (level,  low)  -> 

IRQ  21 

<6>[  1.842233]  ahci:  SSS  flag  set,  parallel  bus  scan  disabled 

<6>[  1.842369]  ahci  0000:00:0d.0:  AHCI  0001.0100  32  slots  1  ports  3 

Gbps  Oxl  impl  SATA  mode 

<6>[  1.842376]  ahci  0000:00:0d.0:  flags:  64bit  ncq  stag  only  ccc 

<7>[  1.842409]  ahci  0000:00:0d.0:  setting  latency  timer  to  64 

<6>[  1.846574]  scsi2  :  ahci 

<6>[  1.846626]  ata3:  SATA  max  udma/133  abar  m8192@0xf0806000  port 

Oxf 0806100  irq  21 

<6>[  2.190315]  ata3 :  SATA  link  up  3.0  Gbps  (SStatus  123  SControl  300) 

<6>[  2.190593]  ata3 .00:  ATA-8 :  VBOX  HARDDISK,  1.0,  max  udma/133 

<6>[  2.190600]  at 

[3617576002805444146.3617576002]  :  USB  HID  core  driver 

<6>[  2.268995]  SGI  XFS  with  ACLs,  security  attributes,  realtime,  large 

block/inode  numbers,  no  debug  enabled 

<6>[  2.275051]  SGI  XFS  Quota  Management  subsystem 

<5>[  2.279154]  XFS  mounting  filesystem  sda6 

<7>[  2.293333]  Ending  clean  XFS  mount  for  filesystem:  sda6 

<4>[  2.460259]  <30>udev[251] :  starting  version  167 

<6>[  2.470699]  Adding  3998716k  swap  on  /dev/sda5.  Priority:-l 

extents :1  across : 3998716k  SS 

<6>[  2.533224]  Ip:  driver  loaded  but  no  devices  found 

<6>[  2.606866]  EXT4-fs  (sdal) :  mounted  filesystem  with  ordered  data 

mode.  Opts:  (null) 

<3>[  2.610446]  piix4_smbus  0000:00:07.0:  SMBus  base  address 

uninitialized  -  upgrade  BIOS  or  use  force_addr=0xaddr 

<6>[  2.617543]  pci  0000:00:04.0:  PCI  INT  A  ->  GSI  20  (level,  low)  -> 

IRQ  20 

<6>[  2.624864]  input:  unspecified  device  as 

/devi ces/vi rtual/i nput/i nput4 

<4>[  2.625339]  vboxguest:  major  0,  IRQ  20,  I/O  port  d020,  MMIO  at 

00000000f0400000  (size  0x400000) 

<7>[  2.625352]  vboxguest:  Successfully  loaded  version  4.1.8  (interface 

0x00010004) 

<5>[  2.666314]  type=1400  audi t(1400258839 . 911: 2) :  apparmor="STATUS" 

operation="profile_load"  name="/sbin/dhclient"  pid=438 

comm="apparmor_parser" 

<5>[  2.666664]  type=1400  audi t(1400258839 . 911: 3) :  apparmor="STATUS" 

ope rati on="profi 1 e_load"  name="/usr/l i b/NetworkManager/nm-dhcp- 

client. action"  pid=438  comm="apparmor_parser" 

<5>[  2.666889]  type=1400  audit(1400258839. 911:4) :  apparmor="STATUS" 

ope rati on="profi 1 e_load"  name="/usr/l i b/connman/scri pts/dhcl i ent-scri pt" 
pid=438  comm="apparmor_parser" 

<6>[  2.756745]  ADDRCONF(NETDEV_UP) :  ethO:  link  is  not  ready 

<6>[  2.760516]  elOOO:  ethO  NIC  Link  is  up  1000  Mbps  Full  Duplex,  Flow 

Control :  RX 

<6>[  2.761029]  ADDRCONF(NETDEV_CHANGE) :  ethO:  link  becomes  ready 
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<6>[  2 . 763329]  parport_pc  00:04:  reported  by  Plug  and  Play  ACPI 

<5>[  2.828598]  type=1400  audit(1400258840.071: 5) :  apparmor="STATUS" 

ope rati on=" prof i 1 e_load"  name="/usr/share/gdm/guest-session/xsessi on" 

pid=573  comm="apparmor_parser" 

<5>[  2.831075]  type=1400  audi t(1400258840 . 081:6) :  apparmor="STATUS" 

operation="profi ] e_repl ace"  name="/sbin/dhclient"  pid=574 

comm="apparmor_parser" 

<5>[  2.831503]  type=1400  audit(1400258840.081: 7) :  apparmor="STATUS" 

ope rati on=" prof i 1 e_repl ace"  name="/usr/l i b/NetworkManager/nm-dhcp- 

client. action"  pid=574  comm="apparmor_parser" 

<5>[  2.831724]  type=1400  audi t(1400258840 . 081:8) :  apparmor="STATUS" 

ope rati on="profi ] e_replace"  name="/usr/l i b/connman/scri pts/dhcl ient- 

script"  pid=574  comm="apparmor_parser" 

<5>[  2.837274]  type=1400  audi t (1400258840 . 081 : 9) :  apparmor="STATUS" 

operation="profile_load"  name="/usr/bi n/evi nee"  pid=576 

comm="apparmor_parser" 

<5>[  2.837389]  type=1400  audi t(14002 58840 . 081 : 10) :  apparmor="STATUS" 

ope rati on=" prof i ] e_load"  name="/usr/] i b/cups/backend/cups-pdf "  pi d=578 
comm="apparmor_parser" 

<6>[  2.849065]  input:  ImExPS/2  Generic  Explorer  Mouse  as 

/devi ces/pl atform/i 8042/seri ol/i nput/i nput5 

<7>[  3.009203]  vboxsf:  Successfully  loaded  version  4.1.8  (interface 

0x00010004) 

<6>[  3.015416]  ppdev:  user-space  parallel  port  driver 

<6> [  3.081070]  Intel  ICH  0000:00:05.0:  PCI  INT  A  ->  GSI  21  (level, 

low)  ->  IRQ  21 

<7>[  3.081089]  Intel  ICH  0000:00:05.0:  setting  latency  timer  to  64 

<6>[  3.168827]  EXT4-fs  (sdal) :  re-mounted.  Opts:  commit=0 

<6>[  3.430239]  i  ntel  8x0_measure_ac97_cl ock :  measured  59582  usees 

(12782  samples) 

<6>[  3.430246]  intel8x0:  measured  clock  214527  rejected 

<6>[  3.800227]  i  ntel  8x0_measure_ac97_clock:  measured  59999  usees 

(12774  samples) 

<6>[  3.800234]  inte!8x0:  measured  clock  212903  rejected 

<6>[  4.740268]  i  ntel  8x0_measure_ac97_clock:  measured  62047  usees 

(12678  samples) 

<6>[  4.740275]  inte!8x0:  measured  clock  204328  rejected 

<6>[  4.740281]  intel8x0:  clocking  to  48000 

<6>[  4.798424]  vesafb:  framebuffer  at  OxeOOOOOOO,  mapped  to 

0xffffc90004500000 ,  using  1216k,  total  1216k 

<6>[  4.798429]  vesafb:  mode  is  640x480x32,  linelength=2560,  pages=0 

<6>[  4.798432]  vesafb:  scrolling:  redraw 

<6>[  4.798435]  vesafb:  Truecolor:  si ze=8 : 8 : 8 : 8 ,  shi ft=24 : 16 : 8 : 0 

<4>[  4.798530]  Console:  switching  to  colour  frame  buffer  device  80x30 

<6>[  4.798541]  fbO:  VESA  VGA  frame  buffer  device 

<6>[  4.980466]  [drm]  initialized  drm  1.1.0  20060810 

<6> [  4.981425]  pci  0000:00:02.0:  PCI  INT  A  ->  GSI  18  (level,  low)  -> 

IRQ  18 

<7>[  4.981440]  pci  0000:00:02.0:  setting  latency  timer  to  64 

<6>[  4.981546]  [drm]  Supports  vblank  timestamp  caching  Rev  1 

(10.10.2010). 

<6>[  4.981548]  [drm]  No  driver  support  for  vblank  timestamp  query. 

<6>[  4.981551]  [drm]  initialized  vboxvideo  1.0.0  20090303  for 

0000:00:02.0  on  minor  0 

<6>[  5.747997]  EXT4-fs  (sdal):  re-mounted.  Opts:  commit=0 

<7>[  13.700173]  ethO:  no  IPv6  routers  present 

<6>[  192.670530]  usb  2-1:  USB  disconnect,  address  2 

<6>[  193.200258]  usb  2-1:  new  full  speed  USB  device  using  ohci_hcd  and 

address  3 

<6>[  193.503032]  input:  VirtualBox  USB  Tablet  as 

/devi ce s/pci  0000 : 00/0000 : 00:06.0/usb2/2-l/2-l: 1.0/i nput/i nput6 

<6>[  193.503210]  generic-usb  0003 : 80EE : 0021 .0002 :  input, hidrawO:  USB  HID 

vl.10  Mouse  [VirtualBox  USB  Tablet]  on  usb-0000:00:06.0-l/input0 

<7>[  224.713621]  sf_read_super_aux  err=-7 1 

<7>[  224.750645]  sf_read_super_aux  err=-71 

<7>[  224.780382]  sf_read_super_aux  err=-7 1 
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B.2  Output  for  plugin  linux_psaux 

The  output  in  Table  B.l  was  generated  by  the  Volatility  linux _psaux  plugin  (see  Section  3.3.1). 


Table  B.l:  Plugin  output  for  linux _psaux  (sorted  by  PID). 


PID 

UID 

GID 

Arguments 

1 

0 

0 

/sbin/init  ro  quiet  splash 

2 

0 

0 

[kthreadd] 

3 

0 

0 

[ksoftirqd/0] 

5 

0 

0 

[kworker/u:0] 

6 

0 

0 

[migration/0] 

7 

0 

0 

[migration/1] 

9 

0 

0 

[ksoftirqd/1] 

10 

0 

0 

[kworker/0:l] 

11 

0 

0 

[cpuset] 

12 

0 

0 

[khelper] 

13 

0 

0 

[netns] 

14 

0 

0 

[kworker/u:l] 

15 

0 

0 

[sync_supers] 

16 

0 

0 

[bdi-default] 

17 

0 

0 

[kintegrityd] 

18 

0 

0 

[kblockd] 

19 

0 

0 

[kacpid] 

20 

0 

0 

[kacpi  notify] 

21 

0 

0 

[kacpi  hotplug] 

22 

0 

0 

[ata  sff] 

23 

0 

0 

[khubd] 

24 

0 

0 

[md] 

25 

0 

0 

[kworker/l:l] 

26 

0 

0 

[khungtaskd] 

27 

0 

0 

[kswapdO] 

28 

0 

0 

[ksmd] 

29 

0 

0 

[fsnotify  mark] 

30 

0 

0 

[aio] 

31 

0 

0 

[ecryptfs-kthrea] 

32 

0 

0 

[crypto] 

36 

0 

0 

[kthrotld] 

38 

0 

0 

[scsi  eh  0] 

39 

0 

0 

[scsi_eh_l] 

41 

0 

0 

[kmpathd] 

42 

0 

0 

[kmpath  handlerd] 
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PID 

UID 

GID 

Arguments 

43 

0 

0 

[kondemand] 

44 

0 

0 

[kconservative] 

45 

0 

0 

[kworker/0:2] 

155 

0 

0 

[kworker/l:2] 

166 

0 

0 

[scsi  eh  2] 

185 

0 

0 

[xfs  mru  cache] 

186 

0 

0 

[xfslogd] 

187 

0 

0 

[xfsdatad] 

188 

0 

0 

[xfsconvertd] 

190 

0 

0 

[xfsbufd/sda6] 

191 

0 

0 

[xfsaild/sda6] 

192 

0 

0 

[xfssyncd/sda6] 

249 

0 

0 

upstart-udev-bridge  -daemon 

251 

0 

0 

udevd  -daemon 

370 

0 

0 

[jbd2/sdal-8] 

372 

0 

0 

[ext4-dio-unwrit] 

405 

0 

0 

[iprt] 

406 

0 

0 

[kpsmoused] 

420 

102 

105 

dbus-daemon  —system  —fork  — activation=upstart 

426 

101 

103 

rsyslogd  -c4 

444 

0 

0 

N  etworkManager 

446 

104 

109 

avahi-daemon:  ru 

447 

104 

109 

avahi-daemon:  eh 

451 

0 

0 

udevd  -daemon 

462 

0 

0 

/usr/sbin/modem-manager 

467 

0 

0 

/usr/lib/policykit- 1  /polkitd 

522 

0 

0 

/sbin/wpa_supplicant  -u  -s 

523 

0 

0 

/sbin/dhclient  -d  -4  -sf  /usr/lib/NetworkManager/nm-dhcp-client.action  -pf 
/var/run/dhclient-ethO.pid  -If  /var/lib/dhcp/dhclient-6cd8b0a6-3c56-4b21- 
9f2b-6054a5152641-eth0. lease  -cf  /var/run/nm-dhclient-ethO.conf  ethO 

562 

0 

0 

upstart-socket-bridge  -daemon 

621 

0 

0 

/sbin/getty  -8  38400  tty4 

627 

0 

0 

/sbin/getty  -8  38400  tty5 

638 

0 

0 

/sbin/getty  -8  38400  tty2 

641 

0 

0 

/sbin/getty  -8  38400  tty3 

644 

0 

0 

/sbin/getty  -8  38400  tty6 

651 

0 

0 

acpid  -c  /etc/acpi/events  -s  /var/run/acpid.socket 

654 

0 

0 

anacron  -s 

655 

0 

0 

cron 

656 

0 

0 

atd 
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PID 

UID 

GID 

Arguments 

663 

0 

0 

/usr/sbin/irqbalance 

787 

0 

0 

/usr/sbin/VBoxService 

898 

0 

0 

[flush-8 :0] 

943 

0 

0 

/sbin/getty  -8  38400  ttyl 

1015 

0 

0 

gdm-binary 

1017 

0 

0 

/usr/sbin/cupsd  -F 

1022 

0 

0 

/usr/sbin/console -kit-daemon  -no-daemon 

1088 

0 

0 

/usr/lib/gdm/gdm-simple-slave  -display-id 
/org/gnome/DisplayManager/Displayl 

1091 

0 

0 

/usr/bin/X  :0  -br  -verbose  -auth/var/run/gdm/auth-for-gdm- 
E6Qm2P/database  -nolistentcp  vt7 

1136 

0 

1000 

/usr/lib/gdm/gdm-session-worker 

1139 

0 

0 

/usr/lib/upower/upowerd 

1157 

110 

119 

/usr/lib/rtkit/rtkit-daemon 

1233 

1000 

1000 

/usr/bin/gnome -keyring-daemon  -daemonize  —login 

1252 

1000 

1000 

gnome-session  ~session=ubuntu 

1295 

1000 

1000 

/usr/bin/VBoxClient  -clipboard 

1307 

1000 

1000 

/usr/bin/VBoxClient  -display 

1315 

1000 

1000 

/usr/bin/VBoxClient  —seamless 

1319 

1000 

1000 

/usr/bin/ssh-agent  /usr/bin/dbus-launch  — exit-with-session  gnome-session 
— session=ubuntu 

1322 

1000 

1000 

/usr/bin/dbus-launch  —exit-with-session  gnome -session  ~session=ubuntu 

1323 

1000 

1000 

//bin/dbus-daemon  -fork  -print-pid  5  -print-address  7  —session 

1328 

1000 

1000 

/usr/lib/libgconf2-4/gconfd-2 

1344 

1000 

1000 

/usr/lib/gnome-settings-daemon/gnome-settings-daemon 

1347 

1000 

1000 

/usr/lib/ gvfs/ gvfsd 

1352 

1000 

1000 

/usr/lib/gvfs//gvfs-fuse-daemon/home/richard/.gvfs 

1357 

1000 

1000 

compiz 

1359 

1000 

1000 

/usr/bin/pulseaudio  -start  — log-target=syslog 

1362 

1000 

1000 

nautilus 

1366 

1000 

1000 

/usr/lib/pulseaudio/pulse/gconf-helper 

1370 

1000 

1000 

nm-applet  — sm-disable 

1371 

1000 

1000 

/usr/lib/policykit- 1  -gnome/polkit-gnome-authentication-agent- 1 

1376 

1000 

1000 

/usr/lib/gvfs/gvfs-gdu-volume-monitor 

1377 

1000 

1000 

zeitgeist-datahub 

1379 

0 

0 

/usr/lib/udisks/udisks-daemon 

1381 

0 

0 

udisks-daemon:  polling  /dev/sr 

1386 

1000 

1000 

gnome-power-manager 

1392 

1000 

1000 

bluetooth-applet 

1397 

1000 

1000 

/usr/bin/python  /usr/bin/zeitgeist-daemon 
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PID 

UID 

GID 

Arguments 

1399 

1000 

1000 

/usr/lib/ gvfs/ gvfs  -gphoto2-volume  -monitor 

1400 

1000 

1000 

/usr/lib/evolution/2.32/evolution-alarm-notify 

1402 

1000 

1000 

/usr/lib/gvfs/gvfs-afc -volume -monitor 

1419 

1000 

1000 

/bin/cat 

1421 

1000 

1000 

[zeitgeist-datah] 

1450 

1000 

1000 

/usr/lib/gvfs/gvfsd-trash  -spawner  :  1 . 1 0  /org/gtk/gvfs/exec_spaw/0 

1454 

1000 

1000 

/usr/lib/notify-osd/notify-osd 

1468 

1000 

1000 

/usr/lib/gvfs/gvfsd-metadata 

1470 

1000 

1000 

/usr/lib/gvfs/gvfsd-bum  —spawner  :  1 . 1 0  /org/gtk/gvfs/exec_spaw/l 

1475 

1000 

1000 

/usr/lib/ d-conf/  dconf-service 

1484 

1000 

1000 

/bin/sh  -c  /usr/bin/compiz-decorator 

1485 

1000 

1000 

/usr/bin/unity -window-decorator 

1488 

1000 

1000 

/usr/lib/unity/unity-panel-service 

1493 

1000 

1000 

/usr/lib/bamf/bamfdaemon 

1501 

1000 

1000 

/usr/lib/indicator-datetime/indicator-datetime -service 

1502 

1000 

1000 

/usr/lib/indicator-me/indicator-me-service 

1503 

1000 

1000 

/usr/lib/indicator-session/indicator-session-service 

1504 

1000 

1000 

/usr/lib/indicator-application/indicator-application-service 

1505 

1000 

1000 

/usr/lib/indicator-messages/indicator-messages-service 

1509 

1000 

1000 

/usr/lib/indicator-sound/indicator-sound-service 

1542 

1000 

1000 

/usr/lib/geoclue/geoclue-master 

1550 

1000 

1000 

gnome-screensaver 

1552 

1000 

1000 

gnome-terminal 

1555 

1000 

1000 

gnome-pty -helper 

1556 

1000 

1000 

bash 

1615 

1000 

1000 

/usr/lib/gnome-disk-utility/gdu-notification-daemon 

1618 

1000 

1000 

/usr/bin/python  /usr/share/system-config-printer/applet.py 

1621 

1000 

1000 

update -notifier 

1635 

0 

0 

/usr/bin/python  /usr/lib/system-service/system-service-d 

1645 

1000 

1000 

/usr/lib/unity-place-applications/unity-applications-daemon 

1647 

1000 

1000 

/usr/lib/unity-place-files/unity-files-daemon 

1674 

0 

0 

udevd  -daemon 

1684 

0 

0 

su  -  root 

1692 

0 

0 

-su 

1888 

0 

0 

[kworker/0:0] 

1889 

0 

0 

[kworker/l:0] 
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B.3  Output  for  plugin  linux_pslist 

The  output  in  Table  B.2  was  generated  by  the  Volatility  linux _pslist  plugin  (see  Section  3.3.2). 


Table  B.2:  Plugin  output  for  linux _pslist  (sorted  by  PID). 


Offset 

0xffff8801176b8000 
0xffff8801 176b96e0 
0xffff1B801 176badc0 
0xffff8801176bdb80 
0xffff8801 176d8000 
0xffff8801 176d96e0 
0xfffflB801 176dc4a0 
0xffff8801 176ddb80 
0xffff8801 17728000 
0xffff8801 1771 16e0 
0xffff8801 177296e0 
0xfffflB801 1772adc0 
0xfffflB801 1772c4a0 
0xffff8801 1772db80 
0xffff8801 17050000 
0xffff8801 170516e0 
0xffff880117052dc0 
0xffff8801 170544a0 
0xffff8801 17055b80 
0xffff8801 16e48000 
0xfffflB801 16e496e0 
0xfffflB801 16e4adc0 
0xfffflB801 16e4c4a0 
0xffff8801 16e4db80 
0xffff8801 15ed8000 
0xfffflB801 15ed96e0 
0xfffflB801 15edadc0 
0xfffflB801 15edc4a0 
0xffff8801 15eddb80 
0xffff8801 15fb8000 
0xffff8801 15fbdb80 
0xfffflB801 15fbc4a0 
0xfffC8801 17712dc0 
0xfffi8801177144a0 
0xffffi8801 15fb96e0 


Name 


init 


kthreadd 


ksoftirqd/0 

kworker/u:0 


migration/0 
migration/ 1 
ksoftirqd/1 
kworker/0: 1 


cpuset 

khelper 

netns 


kworker/u:l 


syncsupers 

bdi-default 


kintegrityd 

kblockd 


kacpid 
kacpinotify 
kacpi  hotplug 
ata  sff 


khubd 


md 


kworker/1 : 1 


khungtaskd 

kswapdO 

ksmd 


fsnotifymark 

aio 


ecryptfs-kthrea 

crypto 

kthrotld 


scsi  eh  0 


scsi  eh  1 


kmpathd 

kmpathhandlerd 


PfD 


UID 


5 

_6 

_9 

_n_ 

il 

J3 

J4_ 

il 

il 

ii 

ii 

20 

il 

22 

il 

ii 

ii 

il 

ii 

ii 

29_ 

30 

il 

32 

36 

ii 

ii 

il 

42 


GID 


0^ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

0 


DTB _ 

0  0x00000001 1434d000 

0  . 

o  - 

o  - 

o  - 

0  . 

0  . 

o  - 

0  . 

o  - 

o  - 

o  - 

0  . 

0  . 

0  . 

0  . 

0  . 

o  - 

0  . 

o  - 

o  - 

o  - 

0  . 

o  - 

o  - 

o  - 

0  . 

o  - 

o  - 

0  . 

0  . 

0  . 

0  . 

0  . 

o  - 


Start  Time 

2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:23  UTC+0000 
2014-05-16  16:47:23  UTC+0000 
2014-05-16  16:47:23  UTC+0000 
2014-05-16  16:47:23  UTC+0000 
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Offset 

Name 

PID 

UID 

GID 

DTB 

Start  Time 

0xffff880117715b80 

kondemand 

43 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff8801 14388000 

kconservative 

44 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff8801 143896e0 

kworker/0:2 

45 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff880113cadb80 

kworker/ 1 :2 

155 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffffS801 13c544a0 

scsi  eh  2 

166 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff8801 13cac4a0 

xfs  mm  cache 

185 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13952dc0 

xfslogd 

186 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 1438db80 

xfsdatad 

187 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801139516e0 

xfsconvertd 

188 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801139544a0 

xfsbufd/sda6 

190 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff880113955b80 

xfsaild/sda6 

191 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff880113c55b80 

xfssyncd/sda6 

192 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13ce8000 

upstart-udev-br 

249 

0 

0 

0x0000000117157000 

2014-05-16  16:47:24  UTC+0000 

0xfffflS801 13ddadc0 

udevd 

251 

0 

0 

0x0000000113938000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 134044a0 

jbd2/sdal-8 

370 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13402dc0 

ext4-dio-unwrit 

372 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 14148000 

iprt 

405 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 141496e0 

kpsmoused 

406 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 171 10000 

dbus-daemon 

420 

102 

105 

0x0000000114290000 

2014-05-16  16:47:24  UTC+0000 

0xfffflS801 13e8adc0 

rsyslogd 

426 

101 

103 

0x00000001 13fe9000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13400000 

NetworkManager 

444 

0 

0 

0x0000000113654000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13ca8000 

avahi-daemon 

446 

104 

109 

0x00000001 1486d000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 1414db80 

avahi-daemon 

447 

104 

109 

0x0000000113650000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 14badb80 

udevd 

451 

0 

0 

0x0000000114801000 

2014-05-16  16:47:24  UTC+0000 

0xffffl88011340adc0 

modem-manager 

462 

0 

0 

0x0000000114093000 

2014-05-16  16:47:24  UTC+0000 

OxffffS  80115  83c4a0 

polkitd 

467 

0 

0 

0x00000001 16c90000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 142244a0 

wpa  supplicant 

522 

0 

0 

0x00000001 136ae000 

2014-05-16  16:47:24  UTC+0000 

0xffff880 1141  d2dc0 

dhclient 

523 

0 

0 

0x0000000114260000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801141b2dc0 

upstart-socket- 

562 

0 

0 

0x00000001 159e3000 

2014-05-16  16:47:24  UTC+0000 

0xffff880114182dc0 

getty 

621 

0 

0 

0x00000001 13ba9000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13c50000 

getty 

627 

0 

0 

0x00000001 1348a000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 141d0000 

getty 

638 

0 

0 

0x00000001 13b94000 

2014-05-16  16:47:24  UTC+0000 

0xffff880 1141  d44a0 

getty 

641 

0 

0 

0x00000001 168d2000 

2014-05-16  16:47:24  UTC+0000 

0xffffS801 13e8c4a0 

getty 

644 

0 

0 

0x00000001 16f6b000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13cf0000 

acpid 

651 

0 

0 

0x00000001 13ba0000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13cf44a0 

anacron 

654 

0 

0 

0x00000001 1732c000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13cf5b80 

cron 

655 

0 

0 

0x00000001 136e6000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801141b5b80 

atd 

656 

0 

0 

0x00000001 148d6000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13bc96e0 

irqbalance 

663 

0 

0 

0x0000000115664000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13872dc0 

VBoxService 

787 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 
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Offset 

Name 

PfD 

UID 

GfD 

DTB 

Start  Time 

OxffffS  801141 4adc0 

flush-8 :0 

898 

0 

0 

2014-05-16  16:47:25  UTC+0000 

0xffff8801 13bc8000 

getty 

943 

0 

0 

0x00000001 1406e000 

2014-05-16  16:47:25  UTC+0000 

0xffff88011583db80 

gdm-binary 

1015 

0 

0 

0x00000001 1424b000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801141dl6e0 

cupsd 

1017 

0 

0 

0x00000001 136fe000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 11711 2dc0 

console-kit-dae 

1022 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

OxffffiB  80 1 1 3  c5 1 6e0 

gdm-simple-slav 

1088 

0 

0 

0x00000001 141c0000 

2014-05-16  16:47:26  UTC+0000 

0xffff88011352db80 

Xorg 

1091 

0 

0 

0x00000001 171df000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14ba96e0 

gdm-session-wor 

1136 

0 

1000 

0x0000000115777000 

2014-05-16  16:47:27  UTC+0000 

0xffff8801 14220000 

upowerd 

1139 

0 

0 

0x0000000115794000 

2014-05-16  16:47:27  UTC+0000 

0xffff8801157d5b80 

rtkit-daemon 

1157 

110 

119 

0x00000001 14fld000 

2014-05-16  16:47:27  UTC+0000 

0xffff8801 14982dc0 

gnome-keyring-d 

1233 

1000 

1000 

0x0000000116337000 

2014-05-16  16:48:07  UTC+0000 

0xffff8801 14bac4a0 

gnome-session 

1252 

1000 

1000 

0x00000001 14a29000 

2014-05-16  16:48:07  UTC+0000 

0xffff8801 14a65b80 

VBoxClient 

1295 

1000 

1000 

0x0000000114961000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 149896e0 

VBoxClient 

1307 

1000 

1000 

0x00000001 172e2000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 13bcdb80 

VBoxClient 

1315 

1000 

1000 

0x00000001 148f2000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14e40000 

ssh-agent 

1319 

1000 

1000 

0x00000001 16ddb000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 13ce96e0 

dbus-launch 

1322 

1000 

1000 

0x00000001 1491f000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 13caadc0 

dbus-daemon 

1323 

1000 

1000 

0x00000001 16afd000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 1 56c44a0 

gconfd-2 

1328 

1000 

1000 

0x00000001 16da2000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 13870000 

gnome-settings- 

1344 

1000 

1000 

0x00000001 14b08000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14185b80 

gvfsd 

1347 

1000 

1000 

0x00000001 16d3c000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 134096e0 

gvfs-fuse-daemo 

1352 

1000 

1000 

0x00000001 16de5000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14a644a0 

compiz 

1357 

1000 

1000 

0x00000001 15e8fOOO 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 1 57d2dc0 

pulseaudio 

1359 

1000 

1000 

0x00000001 172c0000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 113871 6e0 

nautilus 

1362 

1000 

1000 

0x00000001 14a01000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 1498adc0 

gconf-helper 

1366 

1000 

1000 

0x00000001 16dd7000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801172al6e0 

nm-applet 

1370 

1000 

1000 

0x0000000117118000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 14baadc0 

polkit-gnome-au 

1371 

1000 

1000 

0x00000001 15cf0000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14f88000 

gvfs-gdu-volume 

1376 

1000 

1000 

0x00000001 16eb6000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14f896e0 

zeitgeist-datah 

1377 

1000 

1000 

0x00000001 156e9000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 1583adc0 

udisks-daemon 

1379 

0 

0 

0x00000001 156e7000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 156c0000 

udisks-daemon 

1381 

0 

0 

0x00000001 172ed000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 11711 16e0 

gnome-power-man 

1386 

1000 

1000 

0x0000000115866000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 138744a0 

bluetooth-apple 

1392 

1000 

1000 

0x000000011 73 a4000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 13bcc4a0 

zeitgeist-daemo 

1397 

1000 

1000 

0x000000011 73 a6000 

2014-05-16  16:48:08  UTC+0000 

0xffff880113e88000 

gvfs-gphoto2-vo 

1399 

1000 

1000 

0x00000001 15d28000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801172a5b80 

evolution-alarm 

1400 

1000 

1000 

0x00000001 13d60000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 15df8000 

gvfs-afc -volume 

1402 

1000 

1000 

0x0000000115887000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14a844a0 

cat 

1419 

1000 

1000 

0x00000001 16d05000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14a816e0 

zeitgeist-datah 

1421 

1000 

1000 

2014-05-16  16:48:08  UTC+0000 

60 
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Offset 

Name 

PfD 

UID 

GfD 

DTB 

Start  Time 

OxffffS  80 1 1 5a8 1 6e0 

gvfsd-trash 

1450 

1000 

1000 

0x00000001 15a02000 

2014-05-16  16:48:09  UTC+0000 

OxffffiB  80 1 1 5  a  1  c4a0 

notify-osd 

1454 

1000 

1000 

0x00000001 15a0f000 

2014-05-16  16:48:09  UTC+0000 

0xffff880 114980000 

gvfsd-metadata 

1468 

1000 

1000 

0x00000001 15bf7000 

2014-05-16  16:48:09  UTC+0000 

0xffff880 1 1 5dfc4a0 

gvfsd-bum 

1470 

1000 

1000 

0x0000000115418000 

2014-05-16  16:48:10  UTC+0000 

0xffff8801 13dd8000 

dconf-service 

1475 

1000 

1000 

0x0000000103dc5000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 13cedb80 

sh 

1484 

1000 

1000 

0x00000001 154dd000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 13ceadc0 

unity-window-de 

1485 

1000 

1000 

0x00000001 1549a000 

2014-05-16  16:48:11  UTC+0000 

0xffff880 1 1 5dfdb80 

unity-panel-ser 

1488 

1000 

1000 

0x0000000115493000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 141b0000 

bamfdaemon 

1493 

1000 

1000 

0x00000001 154f3000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14c20000 

indicator-datet 

1501 

1000 

1000 

0x00000001 14c06000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14c216e0 

indicator-me-se 

1502 

1000 

1000 

0x00000001 14c68000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14c22dc0 

indicator-sessi 

1503 

1000 

1000 

0x00000001 155da000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103d796e0 

indicator-appli 

1504 

1000 

1000 

0x00000001 1550c000 

2014-05-16  16:48:11  UTC+0000 

0xffff8 80 1 03 d7  adcO 

indicator-messa 

1505 

1000 

1000 

0x0000000 1 03cec000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103d7db80 

indicator-sound 

1509 

1000 

1000 

0x00000001 14c78000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103ea2dc0 

geoclue-master 

1542 

1000 

1000 

0x0000000 1 03d49000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103c6c4a0 

gnome-screensav 

1550 

1000 

1000 

0x00000001 03 f74000 

2014-05-16  16:48:14  UTC+0000 

0xffff880103c6adc0 

gnome-terminal 

1552 

1000 

1000 

0x0000000101558000 

2014-05-16  16:48:14  UTC+0000 

0xffff8 80 1 03 d7c4a0 

gnome-pty-helpe 

1555 

1000 

1000 

0x0000000 1 03faf000 

2014-05-16  16:48:14  UTC+0000 

0xffff880103d78000 

bash 

1556 

1000 

1000 

0x00000001 0145a000 

2014-05-16  16:48:14  UTC+0000 

0xffff880103ffdb80 

gdu-notificatio 

1615 

1000 

1000 

0x0000000 1 03f2c000 

2014-05-16  16:48:19  UTC+0000 

0xffff880103fe5b80 

applet.py 

1618 

1000 

1000 

0x00000001 16ed2000 

2014-05-16  16:48:39  UTC+0000 

0xffff880103fe0000 

update-notifier 

1621 

1000 

1000 

0x0000000036d2a000 

2014-05-16  16:49:09  UTC+0000 

0xffff880103fe44a0 

system-service- 

1635 

0 

0 

0x0000000036d 18000 

2014-05-16  16:49:10  UTC+0000 

0xffff8801 14d82dc0 

unity-applicati 

1645 

1000 

1000 

0x0000000036d9a000 

2014-05-16  16:50:32  UTC+0000 

0xffff8801 14d844a0 

unity-files-dae 

1647 

1000 

1000 

0x0000000036cf9000 

2014-05-16  16:50:32  UTC+0000 

0xffff880103e896e0 

udevd 

1674 

0 

0 

0x0000000036e6e000 

2014-05-16  16:50:35  UTC+0000 

0xffff8801 157d44a0 

su 

1684 

0 

0 

0x0000000036ee0000 

2014-05-16  16:50:38  UTC+0000 

0xffff880103eal6e0 

bash 

1692 

0 

0 

0x0000000036e43000 

2014-05-16  16:50:46  UTC+0000 

0xffff880103e8db80 

kworker/0:0 

1888 

0 

0 

2014-05-16  16:52:25  UTC+0000 

0xffff880103fel6e0 

kworker/l:0 

1889 

0 

0 

2014-05-16  16:52:27  UTC+0000 
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B.4  Output  for  plugin  linux_pstree 

The  output  in  Table  B.3  was  generated  by  the  Volatility  linux _pslist  plugin  (see  Section  3.3.4). 
Table  B.3:  Plugin  output  for  linux  _pstree  (dot  levels  indicate  subprocess). 


Name 

PID 

UID 

init 

1 

0 

.upstart-udev-br 

249 

0 

.udevd 

251 

0 

..udevd 

451 

0 

..udevd 

1674 

0 

.dbus-daemon 

420 

102 

.rsyslogd 

426 

101 

.  N  etworkManager 

444 

0 

..dhclient 

523 

0 

.avahi-daemon 

446 

104 

..avahi-daemon 

447 

104 

.modem-manager 

462 

0 

.polkitd 

467 

0 

.wpa  supplicant 

522 

0 

.upstart-socket- 

562 

0 

•getty 

621 

0 

•getty 

627 

0 

.getty 

638 

0 

.getty 

641 

0 

.getty 

644 

0 

.acpid 

651 

0 

.anacron 

654 

0 

.cron 

655 

0 

.atd 

656 

0 

.irqbalance 

663 

0 

.VBoxService 

787 

0 

•getty 

943 

0 

.gdm-binary 

1015 

0 

..gdm-simple-slav 

1088 

0 

...Xorg 

1091 

0 

. .  .gdm-session-wor 

1136 

0 

....gnome-session 

1252 

1000 

. ssh-agent 

1319 

1000 

. compiz 

1357 

1000 

. sh 

1484 

1000 
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Name 

PID 

UID 

. unity-window-de 

1485 

1000 

. nautilus 

1362 

1000 

. nm-applet 

1370 

1000 

. polkit-gnome-au 

1371 

1000 

. zeitgeist-datah 

1377 

1000 

. gnome -power-man 

1386 

1000 

. bluetooth-apple 

1392 

1000 

. evolution-alarm 

1400 

1000 

. gdu-notificatio 

1615 

1000 

. applet.py 

1618 

1000 

. update-notifier 

1621 

1000 

.cupsd 

1017 

0 

.console-kit-dae 

1022 

0 

.upowerd 

1139 

0 

.rtkit-daemon 

1157 

110 

.gnome-keyring-d 

1233 

1000 

.VBoxClient 

1295 

1000 

.VBoxClient 

1307 

1000 

.VBoxClient 

1315 

1000 

.dbus-daemon 

1323 

1000 

.dbus-launch 

1322 

1000 

.gconfd-2 

1328 

1000 

.gvfsd 

1347 

1000 

.gvfs-fuse-daemo 

1352 

1000 

.gnome-settings- 

1344 

1000 

.pulseaudio 

1359 

1000 

..gconf-helper 

1366 

1000 

.udisks-daemon 

1379 

0 

..udisks -daemon 

1381 

0 

.gvfs-gdu-volume 

1376 

1000 

.gvfs-gphoto2-vo 

1399 

1000 

.gvfs-afc -volume 

1402 

1000 

.zeitgeist-daemo 

1397 

1000 

..cat 

1419 

1000 

..[zeitgeist-datah] 

1421 

1000 

.gvfsd-trash 

1450 

1000 

.notify-osd 

1454 

1000 

.gvfsd-metadata 

1468 

1000 

.gvfsd-bum 

1470 

1000 

.dconf-service 

1475 

1000 
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Name 

PID 

UID 

.bamfdaemon 

1493 

1000 

.unity-panel-ser 

1488 

1000 

.indicator-messa 

1505 

1000 

.indicator-appli 

1504 

1000 

.indicator-datet 

1501 

1000 

.indicator-me-se 

1502 

1000 

.indicator-sessi 

1503 

1000 

.geoclue-master 

1542 

1000 

.indicator-sound 

1509 

1000 

. gnome -screensav 

1550 

1000 

.gnome-terminal 

1552 

1000 

.  .gnome-pty-helpe 

1555 

1000 

..bash 

1556 

1000 

...su 

1684 

0 

....bash 

1692 

0 

.system-service- 

1635 

0 

.unity-files-dae 

1647 

1000 

.unity-applicati 

1645 

1000 

[kthreadd] 

2 

0 

.[ksoftirqd/O] 

3 

0 

.[kworker/u:0] 

5 

0 

.[migration/O] 

6 

0 

.  [migration/ 1] 

7 

0 

.[ksoftirqd/1] 

9 

0 

.[kworker/0:l] 

10 

0 

.  [cpuset] 

11 

0 

.  [khelper] 

12 

0 

.  [netns] 

13 

0 

.  [kworker/u:  1  ] 

14 

0 

.  [sync_supers] 

15 

0 

.  [bdi-default] 

16 

0 

.  [kintegrityd] 

17 

0 

.[kblockd] 

18 

0 

.  [kacpid] 

19 

0 

.[kacpi  notify] 

20 

0 

.[kacpi  hotplug] 

21 

0 

.[ata  sff] 

22 

0 

.[khubd] 

23 

0 

.[mdl 

24 

0 

.[kworker/l:l] 

25 

0 
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Name 

PID 

UID 

.  [khungtaskd] 

26 

0 

.  [kswapdO] 

27 

0 

.  [ksmd] 

28 

0 

.[fsnotify  mark] 

29 

0 

•Taiol 

30 

0 

.  [ecryptfs-kthrea] 

31 

0 

.  [crypto] 

32 

0 

.  [kthrotld] 

36 

0 

.  [scsi_eh_0] 

38 

0 

,[scsi_eh_l] 

39 

0 

.  [kmpathd] 

41 

0 

.[kmpath  handlerd] 

42 

0 

.  [kondemand] 

43 

0 

.  [kconservative] 

44 

0 

.[kworker/0:2] 

45 

0 

.[kworker/l:2] 

155 

0 

.  [scsi_eh_2] 

166 

0 

.[xfs  mru  cache] 

185 

0 

.[xfslogd] 

186 

0 

.  [xfsdatad] 

187 

0 

.  [xfsconvertd] 

188 

0 

,[xfsbufd/sda6] 

190 

0 

,[xfsaild/sda6] 

191 

0 

.[xfssyncd/sda6] 

192 

0 

,[jbd2/sdal-8] 

370 

0 

,[ext4-dio-unwrit] 

372 

0 

.[iprt] 

405 

0 

.  [kpsmoused] 

406 

0 

.  [flush-8 :0] 

898 

0 

.[kworker/0:0] 

1888 

0 

.[kworker/l:0] 

1889 

0 
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B.5  Output  for  plugin  linux_pidhashtable 

The  output  in  Table  B.4  was  generated  by  the  Volatility  linux _pidhashtable  plugin  (see 
Section  3.3.5). 


Table  B.4:  Plugin  output  for  linux _pidhashtable  (sorted  by  PID). 


Offset 

0xffff8801 176b8000 
0xffff8801 176b96e0 
0xffff880 1 1 76badc0 
Qxffff880 1 1 76bdb80 
0xffff8801 176d8000 
0xffff8801 176d96e0 
0xffff880 1 1 76dc4a0 
0xffff8801 176ddb80 
0xffff880 117728000 
0xffff8801 1771 16e0 
0xffff8801177296e0 
0xffff88011772adc0 
0xffff8801 1772c4a0 
0xffff88011772db80 
OxggggO  117050000 
0xffff8801170516e0 
0xffff8801 17052dc0 
0xffff8801 170544a0 
0xffff880117055b80 
0xffff880 1 1 6e48000 
0xffff880 1 1 6e496e0 
0xffff880 1 1 6e4adc0 
OxffffSSO  1 1 6e4c4a0 
0xffff880 1 1 6e4db80 
0xffff880115ed8000 
0xffff8801 15ed96e0 
0xffff880 1 1 5edadc0 
0xffff880 1 1 5edc4a0 
0xffff8801 15eddb80 
0xffff880115fb8000 
0xffff880115fbdb80 
0xffff8801 15fbc4a0 
0xffff8801 17712dc0 
0xffff8 80 1 1 77 1 44a0 


Name 


init 


kthreadd 


ksoftirqd/0 

kworker/u:0 


migration/0 
migration/ 1 
ksoftirqd/ 1 
kworker/0: 1 


cpuset 

khelper 

netns 


kworker/u:l 


syncsupers 

bdi-default 


kintegrityd 

kblockd 


kacpid _ 

kacpinotify 
kacpihotplug 
ata  sff 


khubd 


md 


kworker/ 1 : 1 


khungtaskd 

kswapdO 

ksmd 


fsnotify  mark 
aio 


ecryptfs-kthrea 

crypto _ 

kthrotld 


scsi  eh  0 


scsi  eh  1 


kmpathd 


PID 


UID 


_2_ 

_£ 

5 

_6 

_7 

_9 

J£ 

J4_ 

£2 

_n 

£4 

£5 

£6 

£7 

££ 

£9 

20 

21_ 

22 

23 

24 

25 

26 

27 

28 

29 

30 

11 

32 

36 

38 

39 
41 


GID 


£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

£ 

0 


DTB _ 

0  0x00000001 1434d000 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 

0  . 


Start  Time 

2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:22  UTC+0000 
2014-05-16  16:47:23  UTC+0000 
2014-05-16  16:47:23  UTC+0000 
2014-05-16  16:47:23  UTC+0000 
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Offset 

Name 

PID 

UID 

GID 

DTB 

Start  Time 

0xffff880115fb96e0 

kmpath  handlerd 

42 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff880117715b80 

kondemand 

43 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff8801 14388000 

kconservative 

44 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff8801143896e0 

kworker/0:2 

45 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xfff£880113cadb80 

kworker/ 1 :2 

155 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xffff8801 13c544a0 

scsi  eh  2 

166 

0 

0 

2014-05-16  16:47:23  UTC+0000 

0xfff£8801 13cac4a0 

xfs  mru  cache 

185 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff880113952dc0 

xfslogd 

186 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xfff£88011438db80 

xfsdatad 

187 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 1395 16e0 

xfsconvertd 

188 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xfff£8801139544a0 

xfsbufd/sda6 

190 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff880113955b80 

xfsaild/sda6 

191 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff880113c55b80 

xfssyncd/sda6 

192 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff880113ce8000 

upstart-udev-br 

249 

0 

0 

0x0000000117157000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13ddadc0 

udevd 

251 

0 

0 

0x0000000113938000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 134044a0 

jbd2/sdal-8 

370 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13402dc0 

ext4-dio-unwrit 

372 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 14148000 

iprt 

405 

0 

0 

2014-05-16  16:47:24  UTC+0000 

OxlfffS 801141496e0 

kpsmoused 

406 

0 

0 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 171 10000 

dbus-daemon 

420 

102 

105 

0x0000000114290000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13e8adc0 

rsyslogd 

426 

101 

103 

0x00000001 13fe9000 

2014-05-16  16:47:24  UTC+0000 

0xffff880 1 14edc4a0 

rsyslogd 

441 

101 

103 

0x00000001 13fe9000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801156c5b80 

rsyslogd 

442 

101 

103 

0x00000001 13fe9000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13400000 

NetworkManager 

444 

0 

0 

0x0000000113654000 

2014-05-16  16:47:24  UTC+0000 

0xffff880113ca8000 

avahi-daemon 

446 

104 

109 

0x00000001 1486d000 

2014-05-16  16:47:24  UTC+0000 

0xffff880 1 14 14db80 

avahi-daemon 

447 

104 

109 

0x0000000113650000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 14badb80 

udevd 

451 

0 

0 

0x0000000114801000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 1340adc0 

modem-manager 

462 

0 

0 

0x0000000114093000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 1438c4a0 

NetworkManager 

463 

0 

0 

0x0000000113654000 

2014-05-16  16:47:24  UTC+0000 

OxffffiS 80 1 1 5 83 c4a0 

polkitd 

467 

0 

0 

0x00000001 16c90000 

2014-05-16  16:47:24  UTC+0000 

0xffff880 11711 44a0 

polkitd 

469 

0 

0 

0x00000001 16c90000 

2014-05-16  16:47:24  UTC+0000 

OxlfffS 80 1 142244a0 

wpa  supplicant 

522 

0 

0 

0x00000001 136ae000 

2014-05-16  16:47:24  UTC+0000 

0xlff£8 80 1 1 4 1  d2dc0 

dhclient 

523 

0 

0 

0x0000000114260000 

2014-05-16  16:47:24  UTC+0000 

0xlff£880114225b80 

NetworkManager 

524 

0 

0 

0x0000000113654000 

2014-05-16  16:47:24  UTC+0000 

0xffff880 1 14  Ib2dc0 

upstart-socket- 

562 

0 

0 

0x00000001 159e3000 

2014-05-16  16:47:24  UTC+0000 

OxlfffS 80114182dc0 

getty 

621 

0 

0 

0x00000001 13ba9000 

2014-05-16  16:47:24  UTC+0000 

OxffffSRO1 1 3c50000 

getty 

627 

0 

0 

0x00000001 1348a000 

2014-05-16  16:47:24  UTC+0000 

OxffffS  801141  dOOOO 

getty 

638 

0 

0 

0x00000001 13b94000 

2014-05-16  16:47:24  UTC+0000 

Oxffff8 801141  d44a0 

getty 

641 

0 

0 

0x00000001 168d2000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13e8c4aO 

getty 

644 

0 

0 

0x00000001 16f6b000 

2014-05-16  16:47:24  UTC+0000 
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Offset 

Name 

PID 

UID 

GID 

DTB 

Start  Time 

0xffff880113cf0000 

acpid 

651 

0 

0 

0x00000001 13ba0000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801 13cf44a0 

anacron 

654 

0 

0 

0x00000001 1732c000 

2014-05-16  16:47:24  UTC+0000 

0xfff£880113cf5b80 

cron 

655 

0 

0 

0x00000001 136e6000 

2014-05-16  16:47:24  UTC+0000 

0xffff8801141b5b80 

atd 

656 

0 

0 

0x00000001 148d6000 

2014-05-16  16:47:24  UTC+0000 

0xfff£880113bc96e0 

irqbalance 

663 

0 

0 

0x0000000115664000 

2014-05-16  16:47:24  UTC+0000 

OxffffB 80113872dc0 

VBoxService 

787 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffiE8801  Mel  8000 

VBoxService 

789 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffff880114el96e0 

VBoxService 

790 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffff880114eldb80 

VBoxService 

791 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffff880 1 1 4e  1  c4a0 

VBoxService 

792 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffff8801 14e444a0 

VBoxService 

793 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffff8801 14e45b80 

VBoxService 

794 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffff8 80 1 1 5 8 1 44a0 

VBoxService 

795 

0 

0 

0x00000001 159a8000 

2014-05-16  16:47:25  UTC+0000 

0xffff8801 1414adc0 

flush-8:0 

898 

0 

0 

2014-05-16  16:47:25  UTC+0000 

0xffff8801 13bc8000 

getty 

943 

0 

0 

0x00000001 1406e000 

2014-05-16  16:47:25  UTC+0000 

0xffff88011583db80 

gdm-binary 

1015 

0 

0 

0x00000001 1424b000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801141dl6e0 

cupsd 

1017 

0 

0 

0x00000001 136fe000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 1 1 7 1 1 2dc0 

console-kit-dae 

1022 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14222dc0 

console-kit-dae 

1023 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 113401 6e0 

console-kit-dae 

1024 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

OxffffB  801141  b44a0 

console-kit-dae 

1025 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 141bl6e0 

console-kit-dae 

1026 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14ed96e0 

console-kit-dae 

1027 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14edadc0 

console-kit-dae 

1028 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14ed8000 

console-kit-dae 

1029 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xfff£880 113408000 

console-kit-dae 

1030 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13ca96e0 

console-kit-dae 

1031 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xfff£880113cec4a0 

console-kit-dae 

1032 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 1 14el  adcO 

console-kit-dae 

1033 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880113cfl6e0 

console-kit-dae 

1034 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e42dc0 

console-kit-dae 

1035 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e416e0 

console-kit-dae 

1036 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13e8db80 

console-kit-dae 

1037 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880115815b80 

console-kit-dae 

1038 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 11581 2dc0 

console-kit-dae 

1039 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

OxffffB  8011 3bcadc0 

console-kit-dae 

1040 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880113c52dc0 

console-kit-dae 

1041 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13dddb80 

console-kit-dae 

1042 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 15600000 

console-kit-dae 

1043 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 115601 6e0 

console-kit-dae 

1044 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 
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Oxfffffi  80 1 1 5 602dc0 

console-kit-dae 

1045 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

OxffffB 80115 6044a0 

console-kit-dae 

1046 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880115605b80 

console-kit-dae 

1047 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e70000 

console-kit-dae 

1048 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 1 1 4e7 1 6e0 

console-kit-dae 

1049 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e72dc0 

console-kit-dae 

1050 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e744a0 

console-kit-dae 

1051 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880114e75b80 

console-kit-dae 

1052 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xfff£880114e78000 

console-kit-dae 

1053 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880114e796e0 

console-kit-dae 

1054 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e7adc0 

console-kit-dae 

1055 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e7c4a0 

console-kit-dae 

1056 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 14e7db80 

console-kit-dae 

1057 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13500000 

console-kit-dae 

1058 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 1 1 3  50 1 6e0 

console-kit-dae 

1059 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 1 1 3  502dc0 

console-kit-dae 

1060 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 135044a0 

console-kit-dae 

1061 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 113505b80 

console-kit-dae 

1062 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13508000 

console-kit-dae 

1063 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801135096e0 

console-kit-dae 

1064 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 1350adc0 

console-kit-dae 

1065 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 1350c4a0 

console-kit-dae 

1066 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 1 1 3  50db80 

console-kit-dae 

1067 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13510000 

console-kit-dae 

1068 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff88011351 16e0 

console-kit-dae 

1069 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff580 11351 2dc0 

console-kit-dae 

1070 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8 80 1 1 3 5 1 44a0 

console-kit-dae 

1071 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff580113515b80 

console-kit-dae 

1072 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 11351 8000 

console-kit-dae 

1073 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801135196e0 

console-kit-dae 

1074 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8  80 1 1 3  5 1  adcO 

console-kit-dae 

1075 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 11351  c4a0 

console-kit-dae 

1076 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880 11351  db80 

console-kit-dae 

1077 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff5801 13520000 

console-kit-dae 

1078 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801135216e0 

console-kit-dae 

1079 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff5801 13522dc0 

console-kit-dae 

1080 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 135244a0 

console-kit-dae 

1081 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880113525b80 

console-kit-dae 

1082 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13528000 

console-kit-dae 

1083 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801135296e0 

console-kit-dae 

1084 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 
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0xffff880114eddb80 

console-kit-dae 

1086 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 13cf2dc0 

console-kit-dae 

1087 

0 

0 

0x00000001 1425f000 

2014-05-16  16:47:26  UTC+0000 

0xffff880113c516e0 

gdm-simple-slav 

1088 

0 

0 

0x00000001 14 IcOOOO 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 1352c4a0 

gdm-binary 

1089 

0 

0 

0x00000001 1424b000 

2014-05-16  16:47:26  UTC+0000 

0xffff88011352db80 

Xorg 

1091 

0 

0 

0x00000001 17 ldfOOO 

2014-05-16  16:47:26  UTC+0000 

0xffff8801 1352adc0 

gdm-simple-slav 

1092 

0 

0 

0x00000001 14 IcOOOO 

2014-05-16  16:47:26  UTC+0000 

0xffff880 1 14ba96e0 

gdm-session-wor 

1136 

0 

1000 

0x0000000115777000 

2014-05-16  16:47:27  UTC+0000 

0xffff8801 14220000 

upowerd 

1139 

0 

0 

0x0000000115794000 

2014-05-16  16:47:27  UTC+0000 

0xfff£8801141d5b80 

upowerd 

1142 

0 

0 

0x0000000115794000 

2014-05-16  16:47:27  UTC+0000 

0xffff8801157d5b80 

rtkit-daemon 

1157 

110 

119 

0x0000000 114fld000 

2014-05-16  16:47:27  UTC+0000 

0xffff880 1 14f8c4a0 

rtkit-daemon 

1162 

110 

119 

0x0000000 114fld000 

2014-05-16  16:47:27  UTC+0000 

0xffff880114f8db80 

rtkit-daemon 

1163 

110 

119 

0x0000000 114fld000 

2014-05-16  16:47:27  UTC+0000 

0xfff£880114982dc0 

gnome-keyring-d 

1233 

1000 

1000 

0x0000000116337000 

2014-05-16  16:48:07  UTC+0000 

0xffff8801 14a62dc0 

gnome-keyring-d 

1234 

1000 

1000 

0x0000000116337000 

2014-05-16  16:48:07  UTC+0000 

0xffff8801 14bac4a0 

gnome-session 

1252 

1000 

1000 

0x00000001 14a29000 

2014-05-16  16:48:07  UTC+0000 

0xffff8801 13dd96e0 

gdm-session-wor 

1253 

0 

1000 

0x0000000115777000 

2014-05-16  16:48:07  UTC+0000 

0xffff8801 14a65b80 

VBoxClient 

1295 

1000 

1000 

0x0000000114961000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14a60000 

VBoxClient 

1299 

1000 

1000 

0x0000000114961000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 149896e0 

VBoxClient 

1307 

1000 

1000 

0x00000001 172e2000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801142216e0 

VBoxClient 

1312 

1000 

1000 

0x00000001 172e2000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 13bcdb80 

VBoxClient 

1315 

1000 

1000 

0x00000001 148f2000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801158396e0 

VBoxClient 

1316 

1000 

1000 

0x00000001 148f2000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14e40000 

ssh-agent 

1319 

1000 

1000 

0x00000001 1 6ddb000 

2014-05-16  16:48:08  UTC+0000 

0xffff880113ce96e0 

dbus-launch 

1322 

1000 

1000 

0x000000011 49 lfOOO 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 13caadc0 

dbus-daemon 

1323 

1000 

1000 

0x00000001 16afd000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 15810000 

gnome-session 

1326 

1000 

1000 

0x00000001 14a29000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 156c44a0 

gconfd-2 

1328 

1000 

1000 

0x00000001 16da2000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 11581 16e0 

gnome-session 

1330 

1000 

1000 

0x00000001 14a29000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 11711 5b80 

gnome-keyring-d 

1339 

1000 

1000 

0x0000000116337000 

2014-05-16  16:48:08  UTC+0000 

0xffff880113405b80 

gnome-keyring-d 

1341 

1000 

1000 

0x0000000116337000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 1 4 1 8 1 6e0 

gnome-keyring-d 

1343 

1000 

1000 

0x0000000116337000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 113870000 

gnome-settings- 

1344 

1000 

1000 

0x00000001 14b08000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14180000 

gnome-settings- 

1345 

1000 

1000 

0x00000001 14b08000 

2014-05-16  16:48:08  UTC+0000 

0xffff880114185b80 

gvfsd 

1347 

1000 

1000 

0x00000001 16d3c000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 134096e0 

gvfs-fuse-daemo 

1352 

1000 

1000 

0x00000001 16de5000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 1340c4a0 

gvfs-fiise-daemo 

1353 

1000 

1000 

0x00000001 16de5000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 1340db80 

gvfs-fuse-daemo 

1354 

1000 

1000 

0x00000001 16de5000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 14a6 1 6e0 

gvfs-fuse-daemo 

1355 

1000 

1000 

0x00000001 16de5000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14a644a0 

compiz 

1357 

1000 

1000 

0x00000001 15e8f000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 157d2dc0 

pulseaudio 

1359 

1000 

1000 

0x00000001 172c0000 

2014-05-16  16:48:08  UTC+0000 
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0xffff880113875b80 

compiz 

1360 

1000 

1000 

0x00000001 15e8f000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801157dl6e0 

alsa-sink 

1361 

1000 

1000 

0x00000001 172c0000 

2014-05-16  16:48:08  UTC+0000 

OxffffB 801138716e0 

nautilus 

1362 

1000 

1000 

0x00000001 14a0 1000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 157d0000 

alsa-source 

1363 

1000 

1000 

0x00000001 172c0000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 1498adc0 

gconf-helper 

1366 

1000 

1000 

0x00000001 16dd7000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 172a2dc0 

gconf-helper 

1367 

1000 

1000 

0x00000001 16dd7000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 1 72a  1 6e0 

nm-applet 

1370 

1000 

1000 

0x0000000117118000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14baadc0 

polkit-gnome-au 

1371 

1000 

1000 

0x00000001 15cf0000 

2014-05-16  16:48:08  UTC+0000 

0xffff880114f88000 

gvfs-gdu-volume 

1376 

1000 

1000 

0x00000001 16eb6000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14f896e0 

zeitgeist-datah 

1377 

1000 

1000 

0x00000001 156e9000 

2014-05-16  16:48:08  UTC+0000 

0xffff8 8011583 adcO 

udisks-daemon 

1379 

0 

0 

0x00000001 156e7000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 1 56c0000 

udisks-daemon 

1381 

0 

0 

0x00000001 172ed000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 156c  1 6e0 

udisks-daemon 

1385 

0 

0 

0x00000001 156e7000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1 1 7 1 1 1 6e0 

gnome-power¬ 

man 

1386 

1000 

1000 

0x0000000115866000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1141 844a0 

zeitgeist-datah 

1389 

1000 

1000 

0x00000001 156e9000 

2014-05-16  16:48:08  UTC+0000 

0xffff8 80 1 1 3 8 744a0 

bluetooth-apple 

1392 

1000 

1000 

0x00000001 173a4000 

2014-05-16  16:48:08  UTC+0000 

OxffffB 80 1 1 5 6c2dc0 

polkit-gnome-au 

1393 

1000 

1000 

0x00000001 15cf0000 

2014-05-16  16:48:08  UTC+0000 

OxffffB  80 1 1 3bcc4a0 

zeitgeist-daemo 

1397 

1000 

1000 

0x00000001 173a6000 

2014-05-16  16:48:08  UTC+0000 

0xffff880113e88000 

gvfs-gphoto2-vo 

1399 

1000 

1000 

0x00000001 15d28000 

2014-05-16  16:48:08  UTC+0000 

0xffff880 1172a5b80 

evolution-alarm 

1400 

1000 

1000 

0x00000001 13d60000 

2014-05-16  16:48:08  UTC+0000 

0xffff880115df8000 

gvfs-afc -volume 

1402 

1000 

1000 

0x0000000115887000 

2014-05-16  16:48:08  UTC+0000 

0xffff880115df96e0 

gvfs-afc -volume 

1403 

1000 

1000 

0x0000000115887000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14a82dc0 

nautilus 

1406 

1000 

1000 

0x00000001 14a0 1000 

2014-05-16  16:48:08  UTC+0000 

0xffff880113e896e0 

nm-applet 

1411 

1000 

1000 

0x0000000117118000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 15dfadc0 

gnome-power¬ 

man 

1416 

1000 

1000 

0x0000000115866000 

2014-05-16  16:48:08  UTC+0000 

0xffff8801 14a844a0 

cat 

1419 

1000 

1000 

0x00000001 16d05000 

2014-05-16  16:48:08  UTC+0000 

0xffff880114a85b80 

zeitgeist-daemo 

1420 

1000 

1000 

0x00000001 173a6000 

2014-05-16  16:48:08  UTC+0000 

0xffff880115a58000 

bluetooth-apple 

1447 

1000 

1000 

0x00000001 173a4000 

2014-05-16  16:48:09  UTC+0000 

0xffff880 1 15a8 1 6e0 

gvfsd-trash 

1450 

1000 

1000 

0x00000001 15a02000 

2014-05-16  16:48:09  UTC+0000 

0xffff8801 15a80000 

bluetooth-apple 

1453 

1000 

1000 

0x00000001 173a4000 

2014-05-16  16:48:09  UTC+0000 

0xffff8801 15alc4a0 

notify-osd 

1454 

1000 

1000 

0x00000001 15aOfOOO 

2014-05-16  16:48:09  UTC+0000 

0xffff8801 15a844a0 

evolution-alarm 

1457 

1000 

1000 

0x00000001 13d60000 

2014-05-16  16:48:09  UTC+0000 

0xffff880115a85b80 

notify-osd 

1460 

1000 

1000 

0x00000001 15aOfOOO 

2014-05-16  16:48:09  UTC+0000 

0xffff8801 14980000 

gvfsd-metadata 

1468 

1000 

1000 

0x00000001 15bf7000 

2014-05-16  16:48:09  UTC+0000 

0xffff8801 15dfc4a0 

gvfsd-bum 

1470 

1000 

1000 

0x0000000115418000 

2014-05-16  16:48:10  UTC+0000 

0xffff8801 13ddc4a0 

compiz 

1472 

1000 

1000 

0x00000001 15e8f000 

2014-05-16  16:48:10  UTC+0000 

0xffff880113dd8000 

dconf-service 

1475 

1000 

1000 

0x0000000 103dc5000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 15a5c4a0 

dconf-service 

1477 

1000 

1000 

0x0000000 103dc5000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 13cedb80 

sh 

1484 

1000 

1000 

0x00000001 1 54dd000 

2014-05-16  16:48:11  UTC+0000 
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0xffff5801 13ceadc0 

unity-window-de 

1485 

1000 

1000 

0x00000001 1549a000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 15dfdb80 

unity-panel-ser 

1488 

1000 

1000 

0x0000000115493000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 15aladc0 

unity-window-de 

1489 

1000 

1000 

0x00000001 1549a000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 15a5db80 

unity-panel-ser 

1491 

1000 

1000 

0x0000000115493000 

2014-05-16  16:48:11  UTC+0000 

OxffffS  80 1 1 4 1  bOOOO 

bamfdaemon 

1493 

1000 

1000 

0x00000001 154f3000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 15a5adcO 

unity-panel-ser 

1495 

1000 

1000 

0x0000000115493000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14c20000 

indicator-datet 

1501 

1000 

1000 

0x00000001 14c06000 

2014-05-16  16:48:11  UTC+0000 

0xffff880114c216e0 

indicator-me-se 

1502 

1000 

1000 

0x00000001 14c68000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14c22dc0 

indicator-sessi 

1503 

1000 

1000 

0x00000001 155da000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103d796e0 

indicator-appli 

1504 

1000 

1000 

0x00000001 1550c000 

2014-05-16  16:48:11  UTC+0000 

0xffff8  80 103d7adc0 

indicator-messa 

1505 

1000 

1000 

0x0000000 103cec000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103d7db80 

indicator-sound 

1509 

1000 

1000 

0x00000001 14c78000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14d80000 

indicator-appli 

1515 

1000 

1000 

0x00000001 1550c000 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14d816e0 

indicator-messa 

1516 

1000 

1000 

0x00000001 03 cecOOO 

2014-05-16  16:48:11  UTC+0000 

0xffff8801 14d85b80 

indicator-datet 

1523 

1000 

1000 

0x00000001 14c06000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103e244a0 

indicator-me-se 

1531 

1000 

1000 

0x00000001 14c68000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103e8adc0 

indicator-datet 

1538 

1000 

1000 

0x00000001 14c06000 

2014-05-16  16:48:11  UTC+0000 

0xffff880 1 03  c6db80 

indicator-sessi 

1539 

1000 

1000 

0x00000001 155da000 

2014-05-16  16:48:11  UTC+0000 

OxffffS 80103 eaOOOO 

indicator-sound 

1540 

1000 

1000 

0x00000001 14c78000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103ea2dc0 

geoclue-master 

1542 

1000 

1000 

0x0000000 103d49000 

2014-05-16  16:48:11  UTC+0000 

0xffff880 1 03  ea44a0 

geoclue-master 

1543 

1000 

1000 

0x0000000 103d49000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103e8c4a0 

indicator-sound 

1544 

1000 

1000 

0x00000001 14c78000 

2014-05-16  16:48:11  UTC+0000 

0xffff880103c6c4a0 

gnome-screensav 

1550 

1000 

1000 

0x00000001 03 rnooo 

2014-05-16  16:48:14  UTC+0000 

0xffff880 1 03  c6adc0 

gnome-terminal 

1552 

1000 

1000 

0x0000000101558000 

2014-05-16  16:48:14  UTC+0000 

0xffff880103c68000 

gnome-terminal 

1554 

1000 

1000 

0x0000000101558000 

2014-05-16  16:48:14  UTC+0000 

0xffff880103d7c4a0 

gnome-pty-helpe 

1555 

1000 

1000 

0x00000001 03  fafOOO 

2014-05-16  16:48:14  UTC+0000 

0xffff880103d78000 

bash 

1556 

1000 

1000 

0x0000000 1 0145a000 

2014-05-16  16:48:14  UTC+0000 

0xfff£880103e88000 

gnome-terminal 

1557 

1000 

1000 

0x0000000101558000 

2014-05-16  16:48:14  UTC+0000 

0xffff880103ffdb80 

gdu-notificatio 

1615 

1000 

1000 

0x00000001 03 f2c000 

2014-05-16  16:48:19  UTC+0000 

0xffff880103fe5b80 

applet.py 

1618 

1000 

1000 

0x00000001 16ed2000 

2014-05-16  16:48:39  UTC+0000 

0xffff880103fe0000 

update-notifier 

1621 

1000 

1000 

0x0000000036d2a000 

2014-05-16  16:49:09  UTC+0000 

Oxffff8 80 1 03  ff8 000 

update-notifier 

1622 

1000 

1000 

0x0000000036d2a000 

2014-05-16  16:49:09  UTC+0000 

Oxffff8  80 1 03  fe44aO 

system-service- 

1635 

0 

0 

0x0000000036dl 8000 

2014-05-16  16:49:10  UTC+0000 

0xffff880 1 14d82dc0 

unity-applicati 

1645 

1000 

1000 

0x0000000036d9a000 

2014-05-16  16:50:32  UTC+0000 

0xffff8801 14d844a0 

unity-files-dae 

1647 

1000 

1000 

0x0000000036cf9000 

2014-05-16  16:50:32  UTC+0000 

0xffff8801 15838000 

unity-files-dae 

1648 

1000 

1000 

0x0000000036cf9000 

2014-05-16  16:50:32  UTC+0000 

0xffff8801 149844a0 

unity-applicati 

1649 

1000 

1000 

0x0000000036d9a000 

2014-05-16  16:50:32  UTC+0000 

0xffff880103e896e0 

udevd 

1674 

0 

0 

0x0000000036e6e000 

2014-05-16  16:50:35  UTC+0000 

0xffff8801 157d44a0 

su 

1684 

0 

0 

0x0000000036ee0000 

2014-05-16  16:50:38  UTC+0000 

0xffff880 103ea  1 6e0 

bash 

1692 

0 

0 

0x0000000036e43000 

2014-05-16  16:50:46  UTC+0000 

72 


DRDC-RDDC-201 5-R060 


Offset 

Name 

PID 

UID 

GID 

DTB 

Start  Time 

0xffff880103e8db80 

kworker/0:0 

1888 

0 

0 

2014-05-16  16:52:25  UTC+0000 

0xffff880 1 03fe  1 6e0 

kworker/l:0 

1889 

0 

0 

2014-05-16  16:52:27  UTC+0000 

0xffff8801156788b8 

?GQ??? 

2800 

14135 

67809 

39...7 

0x0000000000000000 

2014-05-16  16:47:22  UTC+0000 
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B.6  Output  for  plugin  linux  psxview 

The  output  in  Table  B.5  was  generated  by  the  Volatility  linux _psxview  plugin  (see  Section  3.3.6). 


Table  B.5:  Plugin  output  for  linux _psxview  (sorted  by  PID). 


Offset(Y) 

Name 

PID 

Pslist 

Pid  hash 

Kmem  cache 

Parents 

Leaders 

0x0000000000000000 

FALSE 

FALSE 

FALSE 

FALSE 

TRUE 

OxffffffffS  1  a0b020 

swapper 

0 

FALSE 

FALSE 

FALSE 

TRUE 

FALSE 

0xffff880 1 1 76b8000 

init 

1 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 76b96e0 

kthreadd 

2 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 76badc0 

ksoftirqd/0 

3 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 76bdb80 

kworker/u:0 

5 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffffX801 1 7648000 

migration/0 

6 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 76d96e0 

migration/ 1 

7 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffffX801 1 76dc4a0 

ksoftirqd/1 

9 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffffS801176ddb80 

kworker/0:l 

10 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 17728000 

cpuset 

11 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS 801 1771 16e0 

khelper 

12 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 77296e0 

netns 

13 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  80 11772adc0 

kworker/u:  1 

14 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 772c4a0 

sync  supers 

15 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 772db80 

bdi-default 

16 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 117050000 

kintegrityd 

17 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 117051 6e0 

kblockd 

18 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 7052dc0 

kacpid 

19 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 70544a0 

kacpi  notify 

20 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 7055b80 

kacpi  hotplug 

21 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 6e48000 

ata  sff 

22 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 6e496e0 

kliubd 

23 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 6e4adc0 

md 

24 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 6e4c4a0 

kworker/l:l 

25 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 6e4db80 

kliungtaskd 

26 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5ed8000 

kswapdO 

27 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5ed96e0 

ksmd 

28 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5edadc0 

fsnotify  mark 

29 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5edc4a0 

aio 

30 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5eddb80 

ecryptfs-kthrea 

31 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5fb8000 

crypto 

32 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5fbdb80 

kthrotld 

36 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  80 1 1 5fbc4a0 

sc  si  eh  0 

38 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 11771 2dc0 

sc  si  eh  1 

39 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 
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Offset(V) 

Name 

PID 

Pslist 

Pid  hash 

Kmem  cache 

Parents 

Leaders 

OxffffS 8011771 44a0 

kmpathd 

41 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5fb96e0 

kmpath  handlerd 

42 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880117715b80 

kondemand 

43 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14388000 

kconservative 

44 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 143896e0 

kworker/0:2 

45 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3cadb80 

kworker/l:2 

155 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3c544a0 

sc  si  eh  2 

166 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3cac4a0 

xfs  mm  cache 

185 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 13952dc0 

xfslogd 

186 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 1438db80 

xfsdatad 

187 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 113951 6e0 

xfsconvertd 

188 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 39544a0 

xfsbufd/sda6 

190 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3955b80 

xfsaild/sda6 

191 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 13c55b80 

xfssyncd/sda6 

192 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3ce8000 

upstart-udev-br 

249 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3ddadc0 

udevd 

251 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 34044a0 

jbd2/sdal-8 

370 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3402dc0 

ext4-dio-unwrit 

372 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14148000 

iprt 

405 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 1 41 496e0 

kpsmoused 

406 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 11711 0000 

dbus-daemon 

420 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3e8adc0 

rsyslogd 

426 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14edc4a0 

rsyslogd 

441 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 56c5b80 

rsyslogd 

442 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS 80 113400000 

NetworkManager 

444 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 3ca8000 

avahi-daemon 

446 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff88011414db80 

avahi-daemon 

447 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  80 1 14badb80 

udevd 

451 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  80 11340adc0 

modem-manager 

462 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  80 11 43  8c4a0 

NetworkManager 

463 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xfffl880 1 1 583c4a0 

polkitd 

467 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  801 171 144a0 

polkitd 

469 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 1142244a0 

wpasupplicant 

522 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffftS801141d2dc0 

dhclient 

523 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffftS80114225b80 

NetworkManager 

524 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffftS801141b2dc0 

upstart-socket- 

562 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffftS80114182dc0 

getty 

621 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3c50000 

getty 

627 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffftS801141d0000 

getty 

638 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffftS801141d44a0 

getty 

641 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 
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Offset(V) 

Name 

PID 

Pslist 

Pid  hash 

Kmem  cache 

Parents 

Leaders 

0xffff880 1 1 3e8c4a0 

getty 

644 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3cf0000 

acpid 

651 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3cf44a0 

anacron 

654 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3cf5b80 

cron 

655 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffffS801141b5b80 

atd 

656 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffffS80113bc96e0 

irqbalance 

663 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3872dc0 

VBoxService 

787 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  801  Mel  8000 

VBoxService 

789 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80114el96e0 

VBoxService 

790 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14eldb80 

VBoxService 

791 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14elc4a0 

VBoxService 

792 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e444a0 

VBoxService 

793 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e45b80 

VBoxService 

794 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 11581 44a0 

VBoxService 

795 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 1414adc0 

flush-8 :0 

898 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3bc8000 

getty 

943 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 583db80 

gdm-binary 

1015 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff8801 141dl6e0 

cupsd 

1017 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 11711 2dc0 

console-kit-dae 

1022 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14222dc0 

console-kit-dae 

1023 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 340 1 6e0 

console-kit-dae 

1024 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  801141b44a0 

console-kit-dae 

1025 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 141bl6e0 

console-kit-dae 

1026 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880114ed96e0 

console-kit-dae 

1027 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 114edadc0 

console-kit-dae 

1028 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 114ed8000 

console-kit-dae 

1029 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80 113408000 

console-kit-dae 

1030 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80 1 1 3ca96e0 

console-kit-dae 

1031 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80 1 1 3cec4a0 

console-kit-dae 

1032 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 114eladc0 

console-kit-dae 

1033 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffftS80 1 1 3cfl  6e0 

console-kit-dae 

1034 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 114e42dc0 

console-kit-dae 

1035 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 114e416e0 

console-kit-dae 

1036 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3e8db80 

console-kit-dae 

1037 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 11581 5b80 

console-kit-dae 

1038 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 11581 2dc0 

console-kit-dae 

1039 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3bcadc0 

console-kit-dae 

1040 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3c52dc0 

console-kit-dae 

1041 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3dddb80 

console-kit-dae 

1042 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffftS80 115600000 

console-kit-dae 

1043 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 
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Offset(V) 

Name 

PID 

Pslist 

Pid  hash 

Kmem  cache 

Parents 

Leaders 

0xffff880 1 1 560 1 6e0 

console-kit-dae 

1044 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 5602dc0 

console-kit-dae 

1045 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 56044a0 

console-kit-dae 

1046 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 5605b80 

console-kit-dae 

1047 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e70000 

console-kit-dae 

1048 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 1 1 4e7 1 6e0 

console-kit-dae 

1049 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e72dc0 

console-kit-dae 

1050 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 114e744a0 

console-kit-dae 

1051 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80114e75b80 

console-kit-dae 

1052 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e78000 

console-kit-dae 

1053 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e796e0 

console-kit-dae 

1054 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e7adc0 

console-kit-dae 

1055 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e7c4a0 

console-kit-dae 

1056 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14e7db80 

console-kit-dae 

1057 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 113500000 

console-kit-dae 

1058 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 113501 6e0 

console-kit-dae 

1059 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3502dc0 

console-kit-dae 

1060 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 35044a0 

console-kit-dae 

1061 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3505b80 

console-kit-dae 

1062 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffflS80 113508000 

console-kit-dae 

1063 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 35096e0 

console-kit-dae 

1064 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff88011350adc0 

console-kit-dae 

1065 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS801 1350c4a0 

console-kit-dae 

1066 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 1350db80 

console-kit-dae 

1067 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 13510000 

console-kit-dae 

1068 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS801 1351 16e0 

console-kit-dae 

1069 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 11351 2dc0 

console-kit-dae 

1070 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 135144a0 

console-kit-dae 

1071 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 11351 5b80 

console-kit-dae 

1072 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 13518000 

console-kit-dae 

1073 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS801 135196e0 

console-kit-dae 

1074 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 1351adc0 

console-kit-dae 

1075 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 1351c4a0 

console-kit-dae 

1076 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 11351  db80 

console-kit-dae 

1077 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 113520000 

console-kit-dae 

1078 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 113521 6e0 

console-kit-dae 

1079 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3522dc0 

console-kit-dae 

1080 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 35244a0 

console-kit-dae 

1081 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3525b80 

console-kit-dae 

1082 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffflS80 113528000 

console-kit-dae 

1083 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 
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Offset(V) 

Name 

PID 

Pslist 

Pid  hash 

Kmem  cache 

Parents 

Leaders 

0xffff880 1 1 35296e0 

console-kit-dae 

1084 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880114eddb80 

console-kit-dae 

1086 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3cf2dc0 

console-kit-dae 

1087 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 13c516e0 

gdm-simple-slav 

1088 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff8801 1352c4a0 

gdm-binary 

1089 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 352db80 

Xorg 

1091 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 352adc0 

gdm-simple-slav 

1092 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xfffi880114ba96e0 

gdm-session-wor 

1136 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

OxffffS 80 114220000 

upowerd 

1139 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 141d5b80 

upowerd 

1142 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 57d5b80 

rtkit-daemon 

1157 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14f8c4a0 

rtkit-daemon 

1162 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14f8db80 

rtkit-daemon 

1163 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14982dc0 

gnome-keyring-d 

1233 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14a62dc0 

gnome-keyring-d 

1234 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14bac4a0 

gnome-session 

1252 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 3dd96e0 

gdm-session-wor 

1253 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14a65b80 

VBoxClient 

1295 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14a60000 

VBoxClient 

1299 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 149896e0 

VBoxClient 

1307 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 422 1 6e0 

VBoxClient 

1312 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 1 1 3bcdb80 

VBoxClient 

1315 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 58396e0 

VBoxClient 

1316 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880114e40000 

ssh-agent 

1319 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3ce96e0 

dbus- launch 

1322 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3caadc0 

dbus-daemon 

1323 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 115810000 

gnome-session 

1326 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 56c44a0 

gconfd-2 

1328 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 115811 6e0 

gnome-session 

1330 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS801 171 15b80 

gnome-keyring-d 

1339 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3405b80 

gnome-keyring-d 

1341 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 1 1 4 1 8 1 6e0 

gnome-keyring-d 

1343 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80 113870000 

gnome-settings- 

1344 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffflS801 14180000 

gnome-settings- 

1345 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffflS80114185b80 

gvfsd 

1347 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 34096e0 

gvfs-flise-daemo 

1352 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffflS8011340c4a0 

gvfs-fuse-daemo 

1353 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffflS8011340db80 

gvfs-flise-daemo 

1354 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 4a6 1 6e0 

gvfs-flise-daemo 

1355 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffflS80114a644a0 

compiz 

1357 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 
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0xffff8801157d2dc0 

pulseaudio 

1359 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880113875b80 

compiz 

1360 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 57dl  6e0 

alsa-sink 

1361 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 387 1 6e0 

nautilus 

1362 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 57d0000 

alsa-source 

1363 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 1498adc0 

gconf-helper 

1366 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 72a2dc0 

gconf-helper 

1367 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 72al  6e0 

nm-applet 

1370 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffffiS80114baadc0 

polkit-gnome-au 

1371 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14f88000 

gvfs-gdu-volume 

1376 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14f896e0 

zeitgeist-datah 

1377 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 583adc0 

udisks-daemon 

1379 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 56c0000 

udisks-daemon 

1381 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 56c  1 6e0 

udisks-daemon 

1385 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 117111 6e0 

gnome-power¬ 

man 

1386 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 141844a0 

zeitgeist-datah 

1389 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 38744a0 

bluetooth-apple 

1392 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 56c2dc0 

polkit-gnome-au 

1393 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3bcc4a0 

zeitgeist-daemo 

1397 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 3e88000 

gvfs-gphoto2-vo 

1399 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 72a5b80 

evolution-alann 

1400 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5df8000 

gvfs-afc-volume 

1402 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5df96e0 

gvfs-afc-volume 

1403 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880114a82dc0 

nautilus 

1406 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3e896e0 

nm-applet 

1411 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 5dfadc0 

gnome-power¬ 

man 

1416 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880114a844a0 

cat 

1419 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14a85b80 

zeitgeist-daemo 

1420 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 4a8 1 6e0 

zeitgeist-datah 

1421 

TRUE 

FALSE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 5a58000 

bluetooth-apple 

1447 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 5a8 1 6e0 

gvfsd-trash 

1450 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5a80000 

bluetooth-apple 

1453 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 15alc4a0 

notify-osd 

1454 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5a844a0 

evolution-alann 

1457 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 5a85b80 

notify-osd 

1460 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14980000 

gvfsd-metadata 

1468 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5dfc4a0 

gvfsd-burn 

1470 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 3ddc4a0 

compiz 

1472 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3dd8000 

dconf-service 

1475 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 
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0xffff8801 1 5a5c4a0 

dconf-service 

1477 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 3cedb80 

sh 

1484 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 1 3ceadc0 

unity-window-de 

1485 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 1 5dfdb80 

unity-panel-ser 

1488 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 15aladc0 

unity-window-de 

1489 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80115a5db80 

unity-panel-ser 

1491 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 1 1 4 1  bOOOO 

bamfdaemon 

1493 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 1 5a5adc0 

unity-panel-ser 

1495 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

OxffffS  80 1 14c20000 

indicator-datet 

1501 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS  8011 4c2 1 6e0 

indicator-me-se 

1502 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14c22dc0 

indicator-sessi 

1503 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880103d796e0 

indicator-appli 

1504 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 03d7adc0 

indicator-messa 

1505 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880103d7db80 

indicator-sound 

1509 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14d80000 

indicator-appli 

1515 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 1 4d8 1 6e0 

indicator-messa 

1516 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 14d85b80 

indicator-datet 

1523 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03e244a0 

indicator-me-se 

1531 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03e8adc0 

indicator-datet 

1538 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880103c6db80 

indicator-sessi 

1539 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03ea0000 

indicator-sound 

1540 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03ea2dc0 

geoclue-master 

1542 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 03ea44a0 

geoclue-master 

1543 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03e8c4a0 

indicator-sound 

1544 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03c6c4a0 

gnome-screensav 

1550 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xfffi880103c6adc0 

gnome-terminal 

1552 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffff880 1 03c68000 

gnome-terminal 

1554 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03d7c4a0 

gnome-pty-helpe 

1555 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880103d78000 

bash 

1556 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

0xffffS80103e88000 

gnome-terminal 

1557 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffffS80103ffdb80 

gdu-notificatio 

1615 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880103fe5b80 

applet.py 

1618 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 03fe0000 

update-notifier 

1621 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880 1 031T8000 

update-notifier 

1622 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880 1 03fe44a0 

system-service- 

1635 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14d82dc0 

unity-applicati 

1645 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff8801 14d844a0 

unity-files-dae 

1647 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffflS80 115838000 

unity-files-dae 

1648 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff8801 149844a0 

unity-applicati 

1649 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 

0xffff880103e896e0 

udevd 

1674 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 
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0xffff8801 1 57d44a0 

su 

1684 

TRUE 

TRUE 

FALSE 

TRUE 

TRUE 

OxffffS  80 1 03 ea  1 6e0 

bash 

1692 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffff880103e8db80 

kworker/0:0 

1888 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

OxffffS 80 1 03  fe  1 6e0 

kworker/l:0 

1889 

TRUE 

TRUE 

FALSE 

FALSE 

TRUE 

0xffffiS801156788b8 

?GQ??? 

2800 

FALSE 

TRUE 

FALSE 

FALSE 

FALSE 
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B.7  Output  for  plugin  linuxlsmod 

The  output  in  Table  B.6  was  generated  by  the  Volatility  linux  lsmod  plugin  (see  Section  3.6.1). 


Table  B.6:  Plugin  output  for  linuxlsmod  (sorted  by  base  address). 


Base  Address 

Kernel  Module 

Size  in  Memory 
(in  bytes) 

ffffffffa0279380 

vboxvideo 

12540 

ffffffffa02abd20 

dim 

227495 

ffffffffa027fla0 

vesafb 

13761 

ffffffffa023  a  1 40 

binfmt  misc 

17565 

ffffffffa0272740 

snd  intel8x0 

38272 

ffffffffa0262680 

snd_ac97_codec 

134270 

ffffffffa02440 8 0 

ac97_bus 

12730 

ffffffffa022e520 

snd_pcm 

96625 

ffffffffa02 10040 

snd_seq_midi 

13324 

ffffffffa02 18080 

snd  rawmidi 

30486 

ffffffffaO  1 4b020 

snd_seq_midi_event 

14899 

ffffffffa0209700 

vboxsf 

39343 

ffffffffaO  lcc060 

ppdev 

17113 

ffffffffaO  lfb280 

snd_seq 

61621 

ffffffffaO  lebOaO 

snd  timer 

29602 

ffffffffaO  laf060 

snd_seq_device 

14462 

ffffffffaO  1 53  OaO 

joydev 

17606 

ffffffffaO  1442c0 

parport_pc 

36959 

ffffffffaO  lde260 

snd 

67382 

ffffffffaO  Ic2e20 

psmouse 

73535 

ffffffffaO  15a  100 

serio  raw 

13166 

ffffffffaOOObOOO 

soundcore 

12680 

ffffffffaO  1959c0 

vboxguest 

232904 

ffffffffaO  1 5  fbOO 

i2c_piix4 

13303 

ffffffffa004 1 040 

snd_page_alloc 

18529 

ffffffffaO  139080 

lp 

17825 

ffffffffaO  16c3  80 

parport 

46458 

ffffffffaO  10c6e0 

xfs 

823190 

ffffffffa002e000 

exportfs 

12998 
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Base  Address 

Kernel  Module 

Size  in  Memory 
(in  bytes) 

ffffffffa00662a0 

usbhid 

46956 

ffffffffa0056c80 

hid 

91020 

ffffffffa003aa80 

ahci 

25951 

ffffffffa00259a0 

elOOO 

111862 

ffffffffa0004300 

libahci 

26642 
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B.8  Output  for  plugin  linux_check_fop 

The  output  in  Table  B.7  was  generated  by  the  Volatility  linux_check Jop  plugin  (see 
Section  3.6.5). 


Table  B.  7:  Plugin  output  for  linuxcheck J'op  ( sorted  by  Symbol  Name). 


Symbol  Name 

Member 

Address 

/ 

readdir 

0xffffffffa02bd020 

/ 

readdir 

0xffffffffa02bd000 

/bin 

readdir 

0xffffffffa02bd020 

/boot 

readdir 

0xffffffffa02bd020 

/dev 

readdir 

0xffffffffa02bd020 

/etc 

readdir 

0xffffffffa02bd020 

/etc/avahi 

readdir 

0xffffffffa02bd020 

/etc/cron,  d 

readdir 

0xffffffffa02bd020 

/etc/Xl  1 

readdir 

0xffffffffa02bd020 

/etc/xdg 

readdir 

0xffffffffa02bd020 

/etc/xdg/menus 

readdir 

0xffffffffa02bd020 

/home 

readdir 

0xffffffffa02bd020 

/home/richard 

readdir 

0xffffffffa02bd020 

/home/richard/.  cache 

readdir 

0xffffffffa02bd020 

/home/richard/.  cache/ dconf 

readdir 

0xffffffffa02bd020 

/home/richard/.cache/zeitgeist 

readdir 

0xffffffffa02bd020 

/home/richard/.  config 

readdir 

0xffffffffa02bd020 

/home/richard/.  config/ dconf 

readdir 

0xffffffffa02bd020 

/home/richard/.gvfs 

readdir 

0xffffffffa02bd020 

/home/richard/.local 

readdir 

0xffffffffa02bd020 

/home/richard/.  local. . .  zeitgeist/fts .  index 

readdir 

0xffffffffa02bd020 

/home/richard/.  local/ share 

readdir 

0xffffffffa02bd020 

/home/richard/.local/share/gvfs-metadata 

readdir 

0xffffffffa02bd020 

/home/richard/.local/share/zeitgeist 

readdir 

0xffffffffa02bd020 

/home/richard/.pulse 

readdir 

0xffffffffa02bd020 

/lib 

readdir 

0xffffffffa02bd020 

/lib/modules 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ dri  vers/auxdisplay 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /drivers/block/drbd 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  -.. ./ drivers/char/ mwave 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ drivers/hid/usbhid 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /drivers/i2c/busses 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./drivers/ infmiband 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ drivers/input/ misc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ drivers/isdn/hisax 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ drivers/isdn/hy  sdn 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ dri  vers/isdn/  mlSDN 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ dri  vers/misc/ cb7 1 0 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ drivers/ misc/ti-st 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./dri  vers/net/arcnet 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ drivers/net/e  1  OOOe 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ drivers/net/netxen 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ dri vers/net/pcmcia 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ drivers/net/ qlcnic 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ drivers/net/ stmmac 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. ./drivers/scsi/bnx2i 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ dri  vers/scsi/cxgbi 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /drivers/scsi/libfc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ drivers/ scsi/ mvsas 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ dri  vers/staging/hv 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ drivers/tty/serial 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ dri  vers/usb/ c67x00 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./dri  vers/usb/ gadget 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ drivers/usb/serial 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ dri  vers/video/kyro 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ dri  vers/video/riva 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . ./ dri  vers/w  1  /  masters 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. ./ dri  vers/xen/  xenbus 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-.../ infiniband/hw/ mlx4 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  ./infiniband/ulp/srp 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ cpu/ cpufreq 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/ata 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/atm 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  ./kernel/ dri  vers/dca 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ./kernel/ dri  vers/dma 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/gpu 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kerne  1/dri  vers/hid 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/i2c 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/mfd 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/mmc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ drivers/mtd 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ drivers/net 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/nfc 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. ./kemel/drivers/pci 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/pps 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/rtc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/spi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ drivers/ssb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ drivers/tty 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. ./kemel/drivers/uio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/usb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/uwb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ dri  vers/xen 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ fs/ configfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kemel/fs/ exportfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ fs/ ff  eevxfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  ,/kemel/fs/reiserfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kernel/ fs/squashfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kemel/sound/  synth 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./kemel/ubuntu/aufs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./media/  d  vb/ d  vb-core 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  ./media/ d  vb/ firewire 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  /media/radio/si470x 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  ./media/video/au0828 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /media/video/em28xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,/net/bluetooth/bnep 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /net/bluetooth/cmtp 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  ,/net/bluetooth/hidp 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ,/net/ip  v4/netfilter 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ,/net/ip  v6/netfilter 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ,/net/netfilter/ip  vs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ./sound/ drivers/opl3 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ./sound/ drivers/pcsp 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /sound/pci/korgl2 12 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /sound/pci/lx6464es 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./staging/  quickstart 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,/staging/serqt_usb2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./staging/  vme/boards 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ./staging/  wlags49_h2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,/ubuntu/iscsitarget 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,/ubuntu/ndis  wrapper 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  ,/usb/ misc/sisusb  vga 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /wireless/ath/ath5k 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. ,/wireless/ath/ath9k 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... /wireless/b43  legacy 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  6/kemel/ cpu/ mcheck 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  a/video/gspca/gl860 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  a/video/gspca/m5602 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  arch/x8  6/kemel/ cpu 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  c/kemel/dri  vers/ md 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  c/kemel/ drivers/ w  1 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  c/kemel/fs/ autofs4 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  c/kemel/ fs/ fscache 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  c/kemel/fs/hfsplus 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  c/keme  1/net/bridge 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  c/keme  1/net/ decnet 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  c/keme  1/net/econet 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  c/kemel/net/netrom 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  c/keme  1/net/phonet 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  c/keme  1/net/sunrpc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  c/keme  1/sound/ core 

readdir 

0xffffffffa02bd020 
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/lib/modules/2. 6. 38-... dia/video/usbvision 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  dri  vers/char/pcmcia 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/ gpu/ drm/  i2c 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/ gpu/ drm/  mga 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/ gpu/ drm/sis 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/ gpu/ drm/  ttm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/ gpu/ drm/  via 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/ input/mouse 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/ input/serio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/ isdn/  divert 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. .drivers/media/radio 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... drivers/media/video 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... drivers/message/i2o 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/ misc/c2port 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/ misc/eeprom 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/ misc/ibmasm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/ mtd/de  vices 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/ mtd/ onenand 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/net/bonding 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  dri  vers/net/can/usb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/net/ chelsio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/net/cxgb4  vf 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/net/ ixgbevf 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. .drivers/net/pch_gbe 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  drivers/net/ vmxnet3 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/net/  wan/lmc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/pci/hotplug 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  dri  vers/pps/clients 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/scsi/ arcmsr 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  drivers/scsi/libsas 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  .drivers/scsi/pcmcia 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  dri  vers/scsi/pm8 00 1 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  dri  vers/staging/bcm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  drivers/staging/  iio 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  drivers/staging/sep 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  drivers/staging/  vme 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  drivers/usb/ storage 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  drivers/video/geode 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... edia/video/et6 1x251 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/char/ agp 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/char/ ip2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/ char/tpm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/ dma/ioat 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/ firewire 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/ firmware 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/ gpu/ stub 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ dri  vers/isdn/  i41 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ dri  vers/media/rc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/ memstick 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/ mmc/car  d 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/ mmc/host 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/ mtd/ maps 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/ mtd/ nand 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ dri  vers/net/atlx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ dri  vers/net/caif 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/net/ enic 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/net/ irda 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ dri  vers/net/ixgb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/net/ mlx4 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/net/ qlge 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/net/ skip 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/net/vxge 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/platform 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  el/drivers/scsi/bfa 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. .el/drivers/scsi/osd 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ drivers/usb/host 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/usb/ misc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ drivers/watchdog 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  el/ fs/ocfs2/cluster 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  el/lib/reed_solomon 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/lib/ zlib_deflate 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  el/sound/ drivers/vx 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  el/sound/pci/asihpi 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... el/sound/pci/au88x0 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... el/sound/pci/caO  106 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... el/sound/pci/cs46xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... el/sound/pci/mixart 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... el/sound/pci/oxygen 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. .el/sound/pci/ymfpci 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  el/ sound/ soc/c  odecs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .el/sound/ synth/emux 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  el/ubuntu/compc  ache 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  el/ubuntu/rtl8192se 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ drivers 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/ fs/ adfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/ fs/affs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ fs/befs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/ fs/ceph 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/ fs/cifs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ fs/coda 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ fs/ fuse 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/ fs/ gfs2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/ fs/hpfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ fs/nfsd 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ fs/ntfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/ fs/omfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ fs/ qnx4 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/ fs/sy  s  v 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eric/kemel/net/8  02 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 .6.38-...  eric/kemel/net/atm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/net/can 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  eric/kemel/net/ ipx 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  eric/kemel/net/key 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  eric/kemel/net/llc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  eric/kemel/net/rds 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  eric/kemel/net/x25 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  emel/drivers/block 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  emel/drivers/hwmon 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  emel/drivers/input 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... emel/drivers/media 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  emel/drivers/po  wer 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  emel/drivers/vhost 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  emel/ drivers/video 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  emel/ fs/cache  files 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 .6.38-... emel/fs/nfs  common 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eme  1/net/appletalk 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  emel/net/bluetooth 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-...  emel/net/netfilter 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  eme  1/net/  wanrouter 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  emel/security/key  s 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  emel/sound/drivers 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  emel/sound/pci/aw2 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  emel/sound/pci/hda 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  emel/ubuntu/rfkill 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/ gpu  /  drm/  nouveau 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ers/ infmiband/ core 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ers/ media/  d  vb/bt  8xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/ media/  d  vb/ ngene 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/ media/  d  vb/siano 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ers/media/  d  vb/ ttpci 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  ers/media/video/pwc 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ers/media/video/uvc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ers/net/can/  sj  a  1 000 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ers/net/can/softing 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/staging/cx25  82 1 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/staging/easy  cap 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  ers/staging/iio/adc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ers/staging/iio/ dac 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ers/staging/iio/ dds 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ers/staging/  iio/ imu 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ers/staging/rtl8  7 1 2 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  ers/staging/slicoss 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ers/staging/  speakup 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/staging/  winbond 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/staging/  wlan-ng 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ers/video/backlight 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ers/video/vermilion 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ess/rtl8 1 8x/rtl8 1 80 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ess/rtl8 1 8x/rtl8 1 87 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  et/bluetooth/rfcomm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  et/bridge/netfilter 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  et/ decnet/netfilter 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  et/wireless/ip  w2x00 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... et/wireless/iwlwifi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  et/wireless/orinoco 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  et/wireless/prism5  4 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  et/wireless/rtl8 1 8x 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... et/wireless/rtlwifi 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... g/comedi/kcomedilib 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  .g/ftl  000/ft  1000-usb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ging /  comedi/ drivers 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ging /  samsung-laptop 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  ia/ d  vb/ttusb-budget 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ic/kemel/ fs/ cramfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  i  c/kemel/fs/nilfs2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ic/kemel/lib/ raid6 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ic/kemel/net/8 02 1  q 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ic/kemel/net/rxipc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ic/kemel/net/sched 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ic/kemel/net/wimax 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  ic/kemel/sound/ i2c 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ic/kemel/sound/ isa 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ic/kemel/sound/pci 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  .ic/kemel/sound/soc 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ic/kemel/sound/usb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  infmiband/hw/cxgb3 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  infmiband/hw/cxgb4 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-...  infmiband/hw/  ipath 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-...  infmiband/hw/ mthca 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  infmiband/ulp/ iser 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  iniband/hw/ amso  1100 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ireless/libertas_tf 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... isdn/hardware/eicon 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  isdn/hardware/ mlSDN 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/infmiband/hw 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/isdn/hardware 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/ media/ d  vb/pt  1 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/ memstick/core 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/memstick/host 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/net/ appletalk 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/net/tokenring 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ivers/scsi/be2iscsi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/scsi/  megaraid 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/staging/keucr 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/staging/line6 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ivers/staging/panel 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/staging/se40 1 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/staging/ sm7  xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/staging/ smbfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/staging/ti-st 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/staging/usbip 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ivers/staging/ xgifb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/usb/host/  whci 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  ivers/uwb/ i  1 4 8 0/dfu 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  ivers/video/display 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ivers/video/intelfb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  ivers/video/mb 8 62xx 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-...  kernel/ arch/x8  6/kvm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/ acpi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/char 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/ edac 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/ gpio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/ idle 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/isdn 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  kernel/ drivers/leds 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/ misc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kernel/ drivers/scsi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .kemel/fs/ocfs2/ dim 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-..  .kemel/net/ mac 80211 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... kemel/net/wireless 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  kerne  1/sound/ isa/sb 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  kemel/sound/pcmcia 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  l/arch/x86/oprofile 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ drivers/acpi/ apei 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... 1/drivers/block/aoe 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ dri  vers/bluetooth 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/ char/ ipmi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ dri  vers/i2c/ algos 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ drivers/ i2c/ muxes 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/ isdn/capi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/ media/d  vb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ drivers/ mtd/ chips 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/ mtd/lpddr 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/ mtd/tests 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ dri  vers/net/atl  1  c 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ dri  vers/net/atl  1  e 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ dri  vers/net/benet 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ dri  vers/net/bnx2x 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  1/ dri  vers/net/cxgb3 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  1/ dri  vers/net/cxgb4 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... 1/drivers/net/el  000 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/dri  vers/net/igb  vf 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ dri  vers/net/ixgbe 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ drivers/net/tulip 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ dri  vers/net/wimax 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/regulator 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ dri  vers/scsi/fcoe 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ drivers/scsi/  fnic 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ dri  vers/scsi/lpfc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/telephony 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ dri  vers/usb/ class 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ dri  vers/usb/ image 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/uwb/ i  1 4  8  0 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ drivers/  video/aty 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/dri  vers/video/sis 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ drivers/video/via 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  1/ dri  vers/w  1  /  slaves 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  1/ drivers/xen/  xenfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... l/sound/pci/ali5451 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  1/sound/pci/ emu  1  Ok  1 

readdir 

0xffffffffa02bd020 

/lib/modules/2.6.38-...l/sound/pci/icel712 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... 1/sound/pci/riptide 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  l/sound/pci/rme9652 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... 1/sound/pci/trident 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  1/ubuntu/ dm-raid4-5 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  media/ common/tuners 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  media/ d  vb/ frontends 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  media/ d  vb/ttusb-dec 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. .media/video/cx231xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  media/video/cx23  8  8 5 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... media/video/cx25840 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... media/video/pvrusb2 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  media/video/saa7 1 3  4 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  media/video/saa7 164 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... media/video/sn9c  102 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. .media/video/tlg2300 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nd/pcmcia/pdaudiocf 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,nel/arch/x8  6/ crypto 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,nel/arch/x8  6/kemel 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .nel/crypto/async_tx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  .nel/ drivers/ gpu/ drm 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  nel/drivers/message 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  nel/ drivers/ mtd/ubi 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/drivers/net/bna 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/drivers/net/can 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .nel/ drivers/net/igb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  .nel/ drivers/net/phy 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/drivers/net/sfc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  nel/ drivers/net/usb 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/drivers/net/wan 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  nel/drivers/parport 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .nel/ drivers/staging 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .nel/ drivers/usb/ atm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  .nel/ drivers/usb/otg 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/net/irda/ircomm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  nel/ sound/ i2c/other 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/sound/pci/ctxfi 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/sound/pci/nm256 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/sound/pci/pcxhr 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/sound/pci/vx222 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/sound/pcmcia/vx 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/sound/usb/caiaq 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  nel/ sound/usb/usx2y 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nel/ubuntu/fsam7400 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  nel/ubuntu/omnibook 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ crypto 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  .neric/kemel/ fs/afs 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  neric/kemel/fs/bfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ fs/dlm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  neric/kernel/ fs/efs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ fs/ fat 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ fs/hfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ fs/j  fs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ fs/nfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  neric/kemel/fs/nls 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ fs/udf 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  neric/kemel/ fs/ufs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/kemel/ fs/xfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/keme  1/lib/ xz 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .neric/keme  1/net/ 9p 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  neric/keme  1/ubuntu 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .net/sunrpc/ auth_gss 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  net/ sunrpc/ xprtrdma 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .net/wireless/hostap 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  net/wireless/rt2x00 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .net  /  wireless/wl  1251 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .net/ wireless/wl  1 2xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... nfmiband/ulp/ipoib 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ng  /  iio/ magnetometer 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  ound/ drivers/mpu40 1 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .put/j  oy  stick/iforce 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... r/pcmcia/ipwireless 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... reless/ath/carl9 170 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  reless/iwmc3200wifi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,ric/kemel/arch/x8  6 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/ fs/btrfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/ fs/exofs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/fs/ isofs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/ fs/j  ffs2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/fs/lockd 

readdir 

0xffffffffa02bd020 
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/lib/  modules/2 .6.38-..  .ric/kemel/ fs/ minix 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... ric/kemel/fs/ncpfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/ fs/ocfs2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/fs/ quota 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/fs/romfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/fs/ubifs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,ric/kemel/net/ax25 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/net/caif 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/keme  1/net/ ceph 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/keme  1/net/core 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/net/ deep 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/net/ ip  v4 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/kemel/net/ ip  v6 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/keme  1/net/irda 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,ric/kemel/net/12tp 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/keme  1/net/lapb 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  .ric/kemel/net/rose 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/keme  1/net/sctp 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  ric/kemel/net/tipc 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 .6.38-..  .ric/keme  1/net/xfrm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .ric/keme  1/security 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/block/paride 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/gpu/ drm/  i  8 1 0 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/gpu/ drm/i8  3  0 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/gpu/ drm/  i9 1 5 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/gpu/ drrn/r  1 2  8 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/gpu/ drm/  tdfx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/input/tablet 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/isdn/  gigaset 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/media/ common 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 .6.38-. .  .rivers/net/hamradio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/net/ myri  1  Oge 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/net/wireless 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/p  latform/x8  6 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  .rivers/scsi/ aacraid 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  .rivers/scsi/  aic7xxx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  .rivers/scsi/  aic94xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. .rivers/scsi/mpt2sas 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/scsi/ qla2xxx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/scsi/ qla4xxx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/staging/echo 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/staging/lirc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/staging/ zram 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/usb/  wusbcore 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/video/ matrox 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... rivers/video/nvidia 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rivers/video/savage 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .mel/dri  vers/ crypto 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .mel/drivers/pcmc  ia 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rnel/dri  vers/target 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .mel/dri  vers/virtio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .mel/fs/ocfs2/ dlmfs 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-..  .mel/net/batman-adv 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  mel/net/ieee802 154 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 .6.38-..  .mel/net/ irda /  irlan 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .mel/net/ irda /  imet 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .mel/sound/ core/seq 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  .mel/sound/pci/ac97 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .mel/sound/usb/ misc 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  .rs/media/  dvb/ dm  1105 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  .rs/media/  dvb/ mantis 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rs/ media/  d  vb/pluto2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  .rs/ media/rc/keymaps 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -..  .rs/ media/video/cx  1 8 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. ,rs/media/video/cx88 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rs/ media/video/ ivtv 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... rs/misc/iwmc3200top 

readdir 

0xffffffffa02bd020 

/lib/  modules/2 .6.38-..  .rs/net/  wimax/ i2400m 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  .rs/net/ wireless/ath 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  .  .rs/net/  wireless/b43 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... rs/net/wireless/p54 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-..  ,rs/scsi/sym53c8xx_2 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rs/staging/  cptm  1 2 1 7 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rs/staging/  frontier 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rs/staging/ iio/ gyro 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .rs/staging/pohmelfs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,rs/staging/rtl8 1 92e 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,rs/staging/rtl8 1 92u 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  ,rs/staging/ste_rmi4 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... rs/staging/usbvideo 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/ infmiband/hw/  qib 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/input/touchscreen 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  s/ isdn/hardware/ avm 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -...  s/media/dvb/dvb-usb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/media/  video/bt  8xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  s/media/video/cpia2 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... s/media/video/gspca 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/media/  video/hdp  vr 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... s/media/video/zoran 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  s/rtlwifi/rtl8 1 92ce 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... s/scsi/cxgbi/cxgb3i 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-.. ,s/scsi/cxgbi/cxgb4i 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/staging/  asus_oled 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  s/staging/brcm8 0211 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  s/staging/  cry  stalhd 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/staging/  dt3 1 5  5  v41 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  s/staging/iio/ accel 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  s/staging/iio/ addac 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/staging/iio/light 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  s/staging/iio/ meter 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  s/staging/rtl8 1 8  7se 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  s/staging/rts_pstor 

readdir 

0xffffffffa02bd020 
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/lib/modules/2 . 6 . 3  8  .  s/staging/  sbe-2t3  e3 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  scsi/device_handler 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  sound/pci/echoaudio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  st  aging/iio/trigger 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -.. .  staging/  vme/bridges 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  staging/  vme/ devices 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  staging/  wlags49_h25 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... t/wireless/libertas 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .t/wireless/zd  1 2 1 1  rw 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .taging/ iio/resolver 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .taging  /  quatech_usb2 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-...  und/pci/cs5535audio 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ char/hw_random 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ gpu/ drm/  radeon 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ gpu/ drm/savage 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ infmiband/ulp 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  vers/ input/ gameport 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ input/j  oystick 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... vers/input/keyboard 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ media/d  vb/b2c2 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... vers/message/fusion 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ staging/  autofs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ staging/comedi 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  vers/staging/ ext  1  e  1 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/staging/  dabusb 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/staging/  et  1 3 1  x 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/staging/  ft  1 000 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... vers/staging/go7007 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ staging/phison 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/ staging/rt2 860 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  vers/staging/rt2 870 

readdir 

0xffffffffa02bd020 

/lib/modules/2. 6. 38-... vers/staging/tm6000 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. .  .vers/staging/  vt665 6 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8 -...  vers/tty/serial/j  sm 

readdir 

0xffffffffa02bd020 
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/lib/modules/2. 6. 38-... video/gspca/stv06xx 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -. . .  wireless/ath/ar9 1 7  0 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -8  -generic 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -8  -generic/initrd 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -8  -generic/kemel 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 . 6 . 3  8  -8  -generic/kemel/arch 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 . 6 . 3  8  -8  -generic/kemel/fs 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -8  -generic/kemel/fs/ 9p 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -8  -generic/kemel/lib 

readdir 

0xffffffffa02bd020 

/lib/ modules/2 . 6 . 3  8  -8  -generic/kemel/net 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8  -8  -generic/kemel/sound 

readdir 

0xffffffffa02bd020 

/lib/modules/2 . 6 . 3  8-8  -generic/misc 

readdir 

0xffffffffa02bd020 

/lib/security 

readdir 

0xffffffffa02bd020 

/lib/x86_64-linux-gnu 

readdir 

0xffffffffa02bd020 

/lib/x86_64-linux-gnu/security 

readdir 

0xffffffffa02bd020 

/media 

readdir 

0xffffffffa02bd020 

/media/malware 

readdir 

0xffffffffa02bd020 

/opt 

readdir 

0xffffffffa02bd020 

/opt/VBoxGuestAdditi.../VBoxGuestAdditions 

readdir 

0xffffffffa02bd020 

/opt/VBoxGuestAdditions-4. 1 . 8 

readdir 

0xffffffffa02bd020 

/opt/VBoxGuestAdditions-4. 1 . 8/bin 

readdir 

0xffffffffa02bd020 

/opt/VBoxGuestAdditions-4. 1 . 8/lib 

readdir 

0xffffffffa02bd020 

/opt/VBoxGuestAdditions-4. 1 ,8/sbin 

readdir 

0xffffffffa02bd020 

/proc 

readdir 

0xffffffffa02bd000 

/proc 

readdir 

0xffffffffa02bd020 

/root 

readdir 

0xffffffffa02bd020 

/root/.cache 

readdir 

0xffffffffa02bd020 

/root/.config 

readdir 

0xffffffffa02bd020 

/root/.dbus 

readdir 

0xffffffffa02bd020 

/root/.pulse 

readdir 

0xffffffffa02bd020 

/root/usr 

readdir 

0xffffffffa02bd020 

/sbin 

readdir 

0xffffffffa02bd020 

/selinux 

readdir 

0xffffffffa02bd020 

/sys 

readdir 

0xffffffffa02bd020 
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/tmp 

readdir 

0xffffffffa02bd020 

/tmp/.esd-1000 

readdir 

0xffffffffa02bd020 

/tmp/.lCE-unix 

readdir 

0xffffffffa02bd020 

/tmp/.Xl  1-unix 

readdir 

0xffffffffa02bd020 

/tmp/keyring-nLdrWW 

readdir 

0xffffffffa02bd020 

/tmp/ orbit-richard 

readdir 

0xffffffffa02bd020 

/tmp/pulse-Oq95HwknZJva 

readdir 

0xffffffffa02bd020 

/tmp/ssh-hvKvcPmB  1 252 

readdir 

0xffffffffa02bd020 

/usr 

readdir 

0xffffffffa02bd020 

/usr/bin 

readdir 

0xffffffffa02bd020 

/usr/lib 

readdir 

0xffffffffa02bd020 

/usr/lib/bamf 

readdir 

0xffffffffa02bd020 

/usr/lib/compiz 

readdir 

0xffffffffa02bd020 

/usr/lib/ compizconfig 

readdir 

0xffffffffa02bd020 

/usr/lib/compizconfig/backends 

readdir 

0xffffffffa02bd020 

/usr/lib/d-conf 

readdir 

0xffffffffa02bd020 

/usr/lib/dri 

readdir 

0xffffffffa02bd020 

/usr/lib/evolution 

readdir 

0xffffffffa02bd020 

/usr/lib/evolution/2 . 3  2 

readdir 

0xffffffffa02bd020 

/usr/lib/ gdk-pixbuf-2 . 0 

readdir 

0xffffffffa02bd020 

/usr/lib/gdk-pixbuf-2.0/2. 10.0 

readdir 

0xffffffffa02bd020 

/usr/lib/gdk-pixbuf-2.0/2. 1 0.0/loaders 

readdir 

0xffffffffa02bd020 

/usr/lib/gdm 

readdir 

0xffffffffa02bd020 

/usr/lib/geoclue 

readdir 

0xffffffffa02bd020 

/usr/lib/gio 

readdir 

0xffffffffa02bd020 

/usr/lib/gio/modules 

readdir 

0xffffffffa02bd020 

/usr/lib/gnome-disk-utility 

readdir 

0xffffffffa02bd020 

/usr/lib/gnome-settings-daemon 

readdir 

0xffffffffa02bd020 

/usr/lib/gnome-settings-daemon-2.0 

readdir 

0xffffffffa02bd020 

/usr/lib/gtk-2.0 

readdir 

0xffffffffa02bd020 

/usr/lib/ gtk-2 .0/2.10.0 

readdir 

0xffffffffa02bd020 

/usr/lib/ gtk-2 .0/2.10.0/ engines 

readdir 

0xffffffffa02bd020 

/usr/lib/gtk-2.0/2. 1 0.0/immodules 

readdir 

0xffffffffa02bd020 

/usr/lib/gtk-2.0/2. 1 0.0/menuproxies 

readdir 

0xffffffffa02bd020 

DRDC-RDDC-201 5-R060 


103 


Symbol  Name 

Member 

Address 

/usr/lib/ gtk-2 . 0/ modules 

readdir 

0xffffffffa02bd020 

/usr/lib/gvfs 

readdir 

0xffffffffa02bd020 

/usr/lib/indicator-application 

readdir 

0xffffffffa02bd020 

/usr/lib/indicator-datetime 

readdir 

0xffffffffa02bd020 

/usr/lib/indicator-me 

readdir 

0xffffffffa02bd020 

/usr/lib/indicator-messages 

readdir 

0xffffffffa02bd020 

/usr/lib/indicators 

readdir 

0xffffffffa02bd020 

/usr/lib/indicators/5 

readdir 

0xffffffffa02bd020 

/usr/lib/indicator-session 

readdir 

0xffffffffa02bd020 

/usr/lib/indicator-sound 

readdir 

0xffffffffa02bd020 

/usr/lib/libgconf2-4 

readdir 

0xffffffffa02bd020 

/usr/lib/libgconf2-4/2 

readdir 

0xffffffffa02bd020 

/usr/lib/libvte9 

readdir 

0xffffffffa02bd020 

/usr/lib/locale 

readdir 

0xffffffffa02bd020 

/usr/lib/mesa 

readdir 

0xffffffffa02bd020 

/usr/lib/ModemManager 

readdir 

0xffffffffa02bd020 

/usr/lib/nautilus 

readdir 

0xffffffffa02bd020 

/usr/lib/nautilus/extensions-2.0 

readdir 

0xffffffffa02bd020 

/usr/lib/N  etworkManager 

readdir 

0xffffffffa02bd020 

/usr/lib/notify-osd 

readdir 

0xffffffffa02bd020 

/usr/lib/policykit-1 

readdir 

0xffffffffa02bd020 

/usr/lib/policykit-1  -gnome 

readdir 

0xffffffffa02bd020 

/usr/lib/pulse-0.9.22 

readdir 

0xffffffffa02bd020 

/usr/lib/pulse-0. 9.22/modules 

readdir 

0xffffffffa02bd020 

/usr/lib/pulseaudio 

readdir 

0xffffffffa02bd020 

/usr/lib/pulseaudio/pulse 

readdir 

0xffffffffa02bd020 

/usr/lib/pyshared 

readdir 

0xffffffffa02bd020 

/usr/lib/pyshared/py. . .  ,7/gtk-2. 0/pynotify 

readdir 

0xffffffffa02bd020 

/usr/lib/pyshared/python2.7 

readdir 

0xffffffffa02bd020 

/usr/lib/pyshared/python2. 7/cairo 

readdir 

0xffffffffa02bd020 

/usr/lib/pyshared/python2 . 7/ gtk-2 . 0 

readdir 

0xffffffffa02bd020 

/usr/lib/pyshared/python2 . 7/ gtk-2 . 0/ gtk 

readdir 

0xffffffffa02bd020 

/usr/lib/python2 . 7 

readdir 

0xffffffffa02bd020 

/usr/lib/python2 . ' 7/d . . .  ackages/gtk-2 . 0/gio 

readdir 

0xffffffffa02bd020 
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/usr/lib/python2.7/dist-packages 

readdir 

0xffffffffa02bd020 

/usr/lib/python2.7/dist-packages/glib 

readdir 

0xffffffffa02bd020 

/usr/lib/python2.7/dist-packages/gobject 

readdir 

0xffffffffa02bd020 

/usr/lib/python2.7/dist-packages/gtk-2.0 

readdir 

0xffffffffa02bd020 

/usr/lib/python2.7/dist-packages/xapian 

readdir 

0xffffffffa02bd020 

/usr/lib/python2.7/lib-dynload 

readdir 

0xffffffffa02bd020 

/usr/lib/rsyslog 

readdir 

0xffffffffa02bd020 

/usr/lib/rtkit 

readdir 

0xffffffffa02bd020 

/usr/lib/udisks 

readdir 

0xffffffffa02bd020 

/usr/lib/unity 

readdir 

0xffffffffa02bd020 

/usr/lib/unity-place-applications 

readdir 

0xffffffffa02bd020 

/usr/lib/unity-place-files 

readdir 

0xffffffffa02bd020 

/usr/lib/upower 

readdir 

0xffffffffa02bd020 

/usr/lib/x86_64-linu...pango/l. 6. 0/modules 

readdir 

0xffffffffa02bd020 

/usr/lib/x86_64-linux-gnu 

readdir 

0xffffffffa02bd020 

/usr/lib/x8  6_64-linux-gnu/ gconv 

readdir 

0xffffffffa02bd020 

/usr/lib/x86_64-linux-gnu/pango 

readdir 

0xffffffffa02bd020 

/usr/lib/x86_64-linux-gnu/pango/1.6.0 

readdir 

0xffffffffa02bd020 

/usr/lib/xorg 

readdir 

0xffffffffa02bd020 

/usr/lib/xorg/modules 

readdir 

0xffffffffa02bd020 

/usr/lib/xorg/modules/extensions 

readdir 

0xffffffffa02bd020 

/usr/lib/xorg/modules/input 

readdir 

0xffffffffa02bd020 

/usr/local 

readdir 

0xffffffffa02bd020 

/usi'/local/bin 

readdir 

0xffffffffa02bd020 

/usr/local/sbin 

readdir 

0xffffffffa02bd020 

/usr/local/share 

readdir 

0xffffffffa02bd020 

/usr/sbin 

readdir 

0xffffffffa02bd020 

/usr/share 

readdir 

0xffffffffa02bd020 

/usr/share/applications 

readdir 

0xffffffffa02bd020 

/usr/share/fonts 

readdir 

0xffffffffa02bd020 

/usr/share/fonts/tru.../ubuntu-font-family 

readdir 

0xffffffffa02bd020 

/usr/  share/ fonts/truetype 

readdir 

0xffffffffa02bd020 

/usr/ share/ fonts/truetype/ttf-dej  avu 

readdir 

0xffffffffa02bd020 

/usr/ share/glib-2 . 0 

readdir 

0xffffffffa02bd020 
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/usr/ share/ glib-2 . 0/schemas 

readdir 

0xffffffffa02bd020 

/usr/share/icons 

readdir 

0xffffffffa02bd020 

/usr/ share/ icons/DMZ- White 

readdir 

0xffffffffa02bd020 

/usr/share/icons/DMZ- White/cursors 

readdir 

0xffffffffa02bd020 

/usr/share/ icons/ gnome 

readdir 

0xffffffffa02bd020 

/usr/share/icons/hicolor 

readdir 

0xffffffffa02bd020 

/usr/share/ icons/Humanity 

readdir 

0xffffffffa02bd020 

/usr/ share/ icons/Humanity-Dark 

readdir 

0xffffffffa02bd020 

/usr/share/icons/ubuntu-mono-dark 

readdir 

0xffffffffa02bd020 

/usr/ share/ icons/unity-icon-theme 

readdir 

0xffffffffa02bd020 

/usr/share/locale 

readdir 

0xffffffffa02bd020 

/usr/share/locale/en 

readdir 

0xffffffffa02bd020 

/usr/ share/locale/en/LC_ME  S  SAGE  S 

readdir 

0xffffffffa02bd020 

/usr/share/locale-la...k/en_US/LC_MESSAGES 

readdir 

0xffffffffa02bd020 

/usr/share/locale-langpack 

readdir 

0xffffffffa02bd020 

/usr/share/locale-langpack/en 

readdir 

0xffffffffa02bd020 

/usr/share/locale-langpack/en/LC_MESSAGES 

readdir 

0xffffffffa02bd020 

/usr/share/locale-langpack/en_US 

readdir 

0xffffffffa02bd020 

/usr/ share/ mime 

readdir 

0xffffffffa02bd020 

/usr/share/vte 

readdir 

0xffffffffa02bd020 

/usr/share/vte/temic  ap-0 . 0 

readdir 

0xffffffffa02bd020 

/usr/ share/ zoneinfo 

readdir 

0xffffffffa02bd020 

/usr/ share/ zoneinfo/Africa 

readdir 

0xffffffffa02bd020 

/var 

readdir 

0xffffffffa02bd020 

/var/cache 

readdir 

0xffffffffa02bd020 

/var/cache/fontconfig 

readdir 

0xffffffffa02bd020 

/var/cache/software-center 

readdir 

0xffffffffa02bd020 

/var/cache/software-center/xapian 

readdir 

0xffffffffa02bd020 

/var/lib 

readdir 

0xffffffffa02bd020 

/var/lib/dhcp 

readdir 

0xffffffffa02bd020 

/var/lib/NetworkManager 

readdir 

0xffffffffa02bd020 

/var/lock 

readdir 

0xffffffffa02bd020 

/var/log 

readdir 

0xffffffffa02bd020 

/var/log/ConsoleKit 

readdir 

0xffffffffa02bd020 
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/var/log/gdm 

readdir 

0xffffffffa02bd020 

/var/mail 

readdir 

0xffffffffa02bd020 

/var/run 

readdir 

0xffffffffa02bd020 

/var/spool 

readdir 

0xffffffffa02bd020 

/var/spool/anacron 

readdir 

0xffffffffa02bd020 

/var/spool/cron 

readdir 

0xffffffffa02bd020 

/var/spool/cron/atj  obs 

readdir 

0xffffffffa02bd020 

/var/spool/cron/crontabs 

readdir 

0xffffffffa02bd020 

anacron  3  [] 

readdir 

0xffffffffa02bd020 

proc  mnt:  root 

readdir 

0xffffffffa02bd000 

procroot 

readdir 

0xffffffffa02bd000 
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List  of  symbols/abbreviations/acronyms/initialisms 


API 

Application  Programming  Interface 

AV 

Anti-virus  or  antivirus 

BIOS 

Basic  Input/Output  System 

CAF 

Canadian  Armed  Forces 

CFNOC 

Canadian  Forces  Network  Operation  Centre 

CPU 

Central  Processing  Unit 

DHCP 

Dynamic  Host  Configuration  Protocol 

DNS 

Domain  Name  Service  /  Domain  Name  Server 

DR  DC 

Defence  Research  and  Development  Canada 

DSL 

Digital  Subscriber  Line 

DTB 

Directory  Table  Base 

DVD 

Digital  Video  Disc  or  Digital  Versatile  Disc 

DVD  +/-  RW 

Digital  Video  Disc  +/-  Read/Write 

ECL 

Export  Control  List 

ELF 

Executable  and  Linkable  Format 

eSATA 

External  SATA 

EVT 

Exception  Vector  Table 

FAC 

Forces  armees  canadiennes 

GB 

Gigabyte  (lxlOy) 

GCC 

GNU  C  Compiler 

GDDR5 

Graphics  Double  Data  Rate  5 

GHz 

Gigahertz 

GiB 

Gibibyte  (230  bytes) 

GID 

Group  ID 

ID 

Identification 

IDT 

Interrupt  Descriptor  Table 

IGMP 

Internet  Group  Management  Protocol 

IP 

Internet  Protocol 

IT 

Information  Technology 
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ITCU 

Integrated  Technological  Crime  Unit 

KiB 

Kibibyte  (21U  bytes) 

LKM 

Loadable  Kernel  Module 

Lsof 

LiSt  Open  Files 

LT05 

Linear  Tape  Open  5 

MD5 

Message -Digest  Algorithm  5 

NAT 

Network  Address  Translation 

NSRL 

National  Software  Reference  Library 

PAE 

Physical  Address  Extension 

PAM 

Pluggable  Authentication  Module 

PC 

Personal  Computer 

PCI 

Peripheral  Component  Interconnect 

PID 

Process  ID 

PO  Box 

Post-Office  Box  or  Post  Office  Box 

PPID 

Parent  Process  ID 

R&D 

Research  &  Development 

RAM 

Random  Access  Memory 

RCMP 

Royal  Canadian  Mounted  Police 

SAS 

Serial  Attached  SCSI 

SATA 

Serial  ATA  or  Serial  AT  Attachment  or 

SHA1 

Secure  Hash  Algorithm- 1 

SMP 

Symmetric  Multiprocessing 

Syscall 

System  Call 

TB 

Terabyte  ( 1  x  1 0 1 2) 

TCP 

Transmission  Control  Protocol 

TCP 

Transmission  Control  Protocol 

TI 

Technologie  de  T  information 

TM 

Technical  Memorandum 

TTY 

TeleTYpe 

UDP 

User  Datagram  Protocol 

UID 

User  ID 

DRDC-RDDC-201 5-R060 


111 


USB2/3 

Universal  Serial  Bus  2/3 

UTC 

Coordinated  Universal  Time 

VM 

Virtual  Machine 

x64 

64-bit  PC  architecture 

x86 

32-bit  PC  architecture 

112 


DRDC-RDDC-201 5-R060 


DOCUMENT  CONTROL  DATA 

(Security  markings  for  the  title,  abstract  and  indexing  annotation  must  be  entered  when  the  document  is  Classified  or  Designated) 


ORIGINATOR  (The  name  and  address  of  the  organization  preparing  the  document. 
Organizations  for  whom  the  document  was  prepared,  e.g.,  Centre  sponsoring  a 
contractor's  report,  or  tasking  agency,  are  entered  in  Section  8.) 


2a.  SECURITY  MARKING 

(Overall  security  marking  of  the  document  including 
special  supplemental  markings  if  applicable.) 


DRDC  -  Valcartier  Research  Centre 
Defence  Research  and  Development  Canada 
2459  route  de  la  Bravoure 
Quebec  (Quebec)  G3J  1X5 
Canada 


UNCLASSIFIED 


2b.  CONTROLLED  GOODS 

(NON-CONTROLLED  GOODS) 
DMCA 

REVIEW:  GCEC  DECEMBER  2012 


3.  TITLE  (The  complete  document  title  as  indicated  on  the  title  page.  Its  classification  should  be  indicated  by  the  appropriate  abbreviation  (S,  C  or  U)  in 
parentheses  after  the  title.) 


Malware  memory  analysis  of  the  IVYL  Linux  rootkit :  Investigating  a  publicly  available  Linux 
rootkit  using  the  Volatility  memory  analysis  framework 


4.  AUTHORS  (last  name,  followed  by  initials  -  ranks,  titles,  etc.,  not  to  be  used) 


Carbone,  R. 


5.  DATE  OF  PUBLICATION 

6a.  NO.  OF  PAGES 

6b.  NO.  OF  REFS 

(Month  and  year  of  publication  of  document.) 

April  2015 

(Total  containing  information, 
including  Annexes,  Appendices, 
etc.) 

(Total  cited  in  document.) 

128 

13 

7.  DESCRIPTIVE  NOTES  (The  category  of  the  document,  e.g.,  technical  report,  technical  note  or  memorandum.  If  appropriate,  enter  the  type  of  report, 
e.g.,  interim,  progress,  summary,  annual  or  final.  Give  the  inclusive  dates  when  a  specific  reporting  period  is  covered.) 


Scientific  Report 


8.  SPONSORING  ACTIVITY  (The  name  of  the  department  project  office  or  laboratory  sponsoring  the  research  and  development  -  include  address.) 


DRDC  -  Valcartier  Research  Centre 
Defence  Research  and  Development  Canada 
2459  route  de  la  Bravoure 
Quebec  (Quebec)  G3J  1X5 
Canada 


9a.  PROJECT  OR  GRANT  NO.  (If  appropriate,  the  applicable  research 
and  development  project  or  grant  number  under  which  the  document 
was  written.  Please  specify  whether  project  or  grant.) 

9b.  CONTRACT  NO.  (If  appropriate,  the  applicable  number  under 
which  the  document  was  written.) 

10a.  ORIGINATOR’S  DOCUMENT  NUMBER  (The  official  document 
number  by  which  the  document  is  identified  by  the  originating 
activity.  This  number  must  be  unique  to  this  document.) 

1 0b.  OTHER  DOCUMENT  NO(s).  (Any  other  numbers  which  may  be 
assigned  this  document  either  by  the  originator  or  by  the  sponsor.) 

DRDC-RDDC-201 5-R060 

1 1 .  DOCUMENT  AVAILABILITY  (Any  limitations  on  further  dissemination  of  the  document,  other  than  those  imposed  by  security  classification.) 


Unlimited 


12.  DOCUMENT  ANNOUNCEMENT  (Any  limitation  to  the  bibliographic  announcement  of  this  document.  This  will  normally  correspond  to  the 
Document  Availability  (11).  However,  where  further  distribution  (beyond  the  audience  specified  in  (1 1)  is  possible,  a  wider  announcement 
audience  may  be  selected.)) 


Unlimited 


1 3.  ABSTRACT  (A  brief  and  factual  summary  of  the  document.  It  may  also  appear  elsewhere  in  the  body  of  the  document  itself.  It  is  highly  desirable  that 
the  abstract  of  classified  documents  be  unclassified.  Each  paragraph  of  the  abstract  shall  begin  with  an  indication  of  the  security  classification  of  the 
information  in  the  paragraph  (unless  the  document  itself  is  unclassified)  represented  as  (S),  (C),  (R),  or  (U).  It  is  not  necessary  to  include  here  abstracts  in 
both  official  languages  unless  the  text  is  bilingual.) 

This  report  is  the  second  in  a  series  that  will  examine  Linux  Volatility-specific  memory 
malware-based  analysis  techniques.  Windows-based  malware  memory  analysis  techniques  were 
analysed  in  a  previous  series.  Unlike  these  Windows-based  reports,  some  of  the  techniques 
described  therein  are  not  applicable  to  Linux-based  analyses  including  data  carving  and  anti¬ 
virus  scanning.  Thus,  with  minimal  use  of  scanner-based  technologies,  the  author  will 
demonstrate  what  to  look  for  while  conducting  Linux-specific  Volatility -based  investigations. 
Each  investigation  consists  of  an  infected  memory  image  and  its  accompanying  Volatility 
memory  profile  that  will  be  used  to  examine  a  different  open  source  rootkit.  Some  of  the 
rootkits  are  user-land  while  others  are  kernel-based.  Rootkits  were  chosen  over  Trojans,  worms 
and  viruses  as  rootkits  tend  to  be  more  sophisticated.  This  specific  investigation  examines  the 
IV YL  rootkit.  It  is  hoped  that  through  the  proper  application  of  various  Volatility  plugins 
combined  with  an  in-depth  knowledge  of  the  Linux  operating  system,  these  case  studies  will 
provide  guidance  to  other  investigators  in  their  own  analyses. 


Ce  rapport  est  le  second  d’une  serie  examinant  les  techniques  specifiques  d’analyse  de  logiciels 
malveillants  en  memoire  sous  Linux  a  l’aide  de  l’outil  Volatility.  Les  techniques  d’analyse  de 
logiciels  malveillants  en  memoire  pour  Windows  ont  ete  decrites  dans  des  rapports  precedents. 
Cependant,  certaines  de  ces  techniques,  telles  que  la  recuperation  de  donnees  et  le  balayage 
d’antivirus  ne  s’appliquent  pas  aux  analyses  sous  Linux.  Par  consequent,  avec  une  utilisation 
minimale  des  technologies  de  balayage,  l’auteur  demontrera  ce  qu’il  faut  rechercher  lorsqu’on 
effectue  des  investigations  specifiques  a  Linux  avec  Volatility.  Chaque  investigation  consiste  en 
une  image  memoire  infectee,  accompagnee  de  son  profile  memoire  Volatility,  et  examinera  un 
programme  malveillant  furtif  a  code  source  ouvert  different.  Certains  seront  en  mode  utilisateur 
tandis  que  d’autres  seront  en  mode  noyau.  Les  programmes  malveillants  furtifs  ont  ete  preferes 
aux  chevaux  de  Troie,  vers  et  virus,  car  ils  ont  tendance  a  etre  plus  sophistiques.  La  presente 
investigation  examine  specifiquement  le  programme  malveillant  furtif  1VYL.  11  est  espere 
qu’avec  une  utilisation  adequate  de  differents  plugiciels  Volatility  et  d’une  connaissance 
approfondie  du  systeme  d’exploitation  Linux,  ces  etudes  de  cas  foumiront  des  conseils  a 
d’autres  enqueteurs  pour  leurs  propres  analyses. 


14.  KEYWORDS,  DESCRIPTORS  or  IDENTIFIERS  (Technically  meaningful  terms  or  short  phrases  that  characterize  a  document  and  could  be  helpful 
in  cataloguing  the  document.  They  should  be  selected  so  that  no  security  classification  is  required.  Identifiers,  such  as  equipment  model  designation, 
trade  name,  military  project  code  name,  geographic  location  may  also  be  included.  If  possible  keywords  should  be  selected  from  a  published  thesaurus, 
e.g..  Thesaurus  of  Engineering  and  Scientific  Terms  (TEST)  and  that  thesaurus  identified.  If  it  is  not  possible  to  select  indexing  terms  which  are 
Unclassified,  the  classification  of  each  should  be  indicated  as  with  the  title.) 

Anti-virus;  Antivirus;  Computer  forensics;  Computer  infection;  Computer  memory  forensics; 
Digital  forensics;  Digital  memory  forensics;  Forensics;  Infection;  IVYL;  Linux;  Malware;  Memory 
analysis;  Memory  forensics;  Memory  image;  Rootkit;  Scanners;  Virus  scanner;  Volatility 


